Bug 1224446

Summary: zypper dup from Leap 15.5 to current Leap 15.6 pulls in openssh-server-config-rootlogin
Product: [openSUSE] openSUSE Distribution Reporter: Dirk Weber <d_werner>
Component: BasesystemAssignee: E-mail List <screening-team-bugs>
Status: VERIFIED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: alarrosa, Andreas.Stieger
Version: Leap 15.6   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dirk Weber 2024-05-17 19:03:51 UTC 
After seeing bug 1224392 I wanted to check if it also happens in Leap 15.6, and it does.

I performed a test upgrade of an up to date openSUSE Leap 15.5 system to the current released openSUSE Leap 15.6 snapshot using zypper dup.

Among
"The following 156 NEW packages are going to be installed:" 
is also:

openssh-server-config-rootlogin

If this can not be fixed before GM users should be warned to lock the package in order to avoid its installation.

zypper lr -u
Repository priorities are without effect. All enabled repositories share the same priority.

# | Alias                        | Name                                                                                        | Enabled | GPG Check | Refresh | URI
--+------------------------------+---------------------------------------------------------------------------------------------+---------+-----------+---------+-------------------------------------------------------------------
1 | openSUSE-Leap-OSS            | openSUSE-Leap-OSS                                                                           | Yes     | (rp) Yes  | No      | https://download.opensuse.org/distribution/leap/15.5/repo/oss/
2 | openSUSE-Leap-non-OSS        | openSUSE-Leap-non-OSS                                                                       | Yes     | (rp) Yes  | No      | https://download.opensuse.org/distribution/leap/15.5/repo/non-oss/
3 | openSUSE_Leap_NonFree_Update | Online updates for openSUSE Leap NonFree (standard)                                         | Yes     | (rp) Yes  | Yes     | https://download.opensuse.org/update/leap/15.5/non-oss/
4 | openSUSE_Leap_Update         | Online updates for openSUSE Leap (standard)                                                 | Yes     | (rp) Yes  | Yes     | https://download.opensuse.org/update/leap/15.5/oss/
5 | repo-backports-debug-update  | Update repository with updates for openSUSE Leap debuginfo packages from openSUSE Backports | No      | ----      | ----    | https://download.opensuse.org/update/leap/15.5/backports_debug/
6 | repo-backports-update        | Update repository of openSUSE Backports                                                     | Yes     | (rp) Yes  | Yes     | https://download.opensuse.org/update/leap/15.5/backports/
7 | repo-sle-debug-update        | Update repository with debuginfo for updates from SUSE Linux Enterprise 15                  | No      | ----      | ----    | https://download.opensuse.org/debug/update/leap/15.5/sle/
8 | repo-sle-update              | Update repository with updates from SUSE Linux Enterprise 15                                | Yes     | (rp) Yes  | Yes     | https://download.opensuse.org/update/leap/15.5/sle/

The repo URLs contain $releasever and I use:

screen sh -c "zypper --releasever=15.6 ref -f && zypper --releasever=15.6 dup; exit"
Comment 1 Andreas Stieger 2024-05-18 01:12:45 UTC 
I think you should engage in the original bug report

*** This bug has been marked as a duplicate of bug 1224392 ***
Comment 2 Antonio Larrosa 2024-05-21 07:17:32 UTC 
I wrote a comment about this in https://bugzilla.opensuse.org/show_bug.cgi?id=1224392#c11 but I'd like to add something more.

When installing Leap 15.5, the openssh package installs a default sshd_config file that already includes `PermitRootLogin yes`.

With the PublicRC packages: (I was doubting if writing this section since it doesn't apply anymore, but I thought I'd write it for the record)

When upgrading to 15.6, if the user didn't modify the sshd_config file, then the sshd_config file is replaced with the new version and the openssh-server-config-rootlogin package is installed which sets `PermitRootLogin yes` in a file in /etc/ssh/sshd_config.d which is loaded from the new sshd_config file. Thus keeping the same value for PermitRootLogin

If the user modified the sshd configuration to set PermitRootLogin to no then after upgrading to 15.6, the sshd_config file is NOT replaced (the new version is saved as sshd_config.rpmnew) and even if openssh-server-config-rootlogin is installed, the files in /etc/ssh/sshd_config.d are not read by the old configuration file, so the package has no effect until the system administrator updates the sshd configuration, so again, we're keeping the same value for PermitRootLogin.

With post-PublicRC packages:

When upgrading to 15.6, if the user didn't modify the sshd_config file, then the sshd_config file is replaced with the new version which just as in 15.5, sets PermitRootLogin to yes. If users want to disable PermitRootLogin they now have the option of changing the sshd_config file as before or they now have a new (recommended) option to install the new openssh-server-config-disallow-rootlogin package which sets `PermitRootLogin prohibit-password` by dropping a file in /etc/ssh/sshd_config.d .

If the user modified the sshd configuration to set PermitRootLogin to no then after upgrading to 15.6, the sshd_config file is NOT replaced (the new version is saved as sshd_config.rpmnew). The openssh-server package will check upon installation if the sshd_config file was updated so it will now display a warning message telling the user that the configuration doesn't load the configuration snippets from /etc/ssh/sshd_config.d and explaining how to fix that. In any case, the 15.5 behaviour is kept also after the upgrade.

Since this is a different issue from boo#1224392, I'll remove the duplicated status and just set it as invalid since installing that file wasn't wrong by itself in the Leap case as it is in the TW case. In any case thanks for caring about Leap enough to run this upgrade test.