Indeed. Today I was extremely startled to see openssh-server-config-rootlogin being recommended by openssh-server. Upon investigation I discovered this patch: https://build.opensuse.org/request/show/1173885

This seems like a mistake. I don't think anybody would want password root logins enabled by default. In the meantime, I've now done `zypper add-lock openssh-server-config-rootlogin` to prevent this package from ever being installed.

I am on Tumbleweed, by the way.

*** Bug 1224397 has been marked as a duplicate of this bug. ***

https://build.opensuse.org/package/rdiff/openSUSE:Factory/openssh?linkrev=base&rev=176

I have reverted openssh in openSUSE:Factory and released that reverted version into the :Update channel.

People that skipped the dup for a day are safe - the others will need to clean this up unfortunately (we can't just remove the package, as some users might have it pre-installed intentionally before already)

I'm sorry, this was my fault when replacing (wrongly) the condition for recommending the package, which I should have removed instead. 

Dominique already reverted the openssh change in TW so the openssh-server-config-rootlogin is not recommended anymore . I also submitted a fix now in https://build.opensuse.org/request/show/1174781 and it seems it will be included in the next TW release, which should happen today.

*** Bug 1224446 has been marked as a duplicate of this bug. ***

A user noted (Bug 1224446) that his also affects openSUSE Leap 15.6 RCs and requested for an equivalent change SUSE:SLE-15-SP6:GA/openssh

(In reply to Andreas Stieger from comment #7)
> A user noted (Bug 1224446) that his also affects openSUSE Leap 15.6 RCs and
> requested for an equivalent change SUSE:SLE-15-SP6:GA/openssh

If for some reasons it is really desired to
PermitRootLogin yes
for SLES/Leap 15.x I think there should be a big obvious announcement or warning in the release notes with the hint to lock the package on systems where this is not wanted prior to the upgrade.

I already added locking the package to my pre-upgrade checklist.

(In reply to Dirk Weber from comment #8)
> (In reply to Andreas Stieger from comment #7)
> I already added locking the package to my pre-upgrade checklist.

Probably locking the package is not a sufficient approach.

Creating something like an
/etc/ssh/sshd_config.d/00_localsettings.conf
containing 
PermitRootLogin no

and other settings which should not be overwritten by distribution defaults might be better.

(In reply to Dirk Weber from comment #9)
> (In reply to Dirk Weber from comment #8)
> > (In reply to Andreas Stieger from comment #7)
> Creating something like an
> /etc/ssh/sshd_config.d/00_localsettings.conf
> containing 
> PermitRootLogin no


I did another upgrade test of Leap 15.5 -> Leap 15.6 RC.

This time the 15.5 system prior to the upgrade
had a modified
/etc/ssh/sshd_config
file, containing
PermitRootLogin no

This file is preserved during rpm installation and the new
config is created as 
sshd_config.rpmnew

As the preserved sshd_config does not 
Include /etc/ssh/sshd_config.d/*.conf

/etc/ssh/sshd_config.d/50-permit-root-login.conf
is harmless and when doing the post upgrade
cleanup of rpmnew files these configurations can be handled properly 
by moving the previous local modifications to an
/etc/ssh/sshd_config.d/*.conf file and there is no
security problem created by the upgrade.

I still see a possible problem:
the new
/etc/ssh/sshd_config[.rpmnew] file contains the paragraph:

# To modify the system-wide sshd configuration, create a "*.conf" file under
# "/etc/ssh/sshd_config.d/" which will be automatically included below.
# Don't edit this configuration file itself if possible to avoid update
# problems.
Include /etc/ssh/sshd_config.d/*.conf

This does not mention that these *.conf files are read in
alphabetic order and that the first appearance of a setting will be
used.
If a user creates a 
/etc/ssh/sshd_config.d/local.conf
containing 
PermitRootLogin no
then the file
/etc/ssh/sshd_config.d/50-permit-root-login.conf
will take precedence.

The new /etc/ssh/sshd_config[.rpmnew] also includes
/usr/etc/ssh/sshd_config.d/*.conf:

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.
Include /usr/etc/ssh/sshd_config.d/*.conf

Therefore I would suggest that the distribution does not put conf files into 
/etc/ssh/sshd_config.d/ at all but into /usr/etc/ssh/sshd_config.d/ which is included after /etc/ssh/sshd_config.d/ and therefore will not overwrite user defined settings from /etc/ssh/sshd_config.d/.

Or conf files put by the distribution into /etc/ssh/sshd_config.d/ should at least always have names starting with
zz, e.g. zz_-permit-root-login.conf, in order
to avoid overwriting user defined settings.

Please note that the SLE/Leap case is something different from this issue, but since boo#1224446 was already marked as a duplicate (incorrectly, IMHO) I'll just comment here.

In SLE/Leap openssh has changed the default value for PermitRootLogin since SLE-12 times (this has been documented). PermitRootLogin was also set to "yes" in the configuration so that it was clear to anyone reading sshd_config that it was set to allow root to do a password login.

For SP6, I tried to make the package more similar to the TW package. This means in SP6 we can use the /etc/ssh/sshd_config.d directory structure for configuration snippets and so I removed the PermitRootLogin default value change and made it use a openssh-server-config-rootlogin package like in TW. But in the SLE/Leap case, instead of just offering it, it was recommended in order to not change the behaviour from previous SLE-15 releases. Please consider that some users expect and rely on being allowed to log in as root as they've been doing for years, and we absolutely don't want to break their systems.

This was released like that in the PublicRC but then we found that it broke in the case of users having recommended packages disabled and upgrading from SP5 to SP6. In those situations a system that allowed root to do a password logins stopped allowing that after upgrading to SP6 which is a behaviour change we MUST avoid, so we had to go back to the old solution of changing the default PermitRootLogin value in sshd_config and we're now providing a openssh-server-config-disallow-rootlogin package that users can install to disable root password logins (the package drops a file in /etc/ssh/sshd_config.d with "PermitRootLogin prohibit-password"). Note that openssh-server-config-rootlogin is no longer provided in SLE/Leap.

SUSE-SU-2024:2393-1: An update that solves two vulnerabilities and has three security fixes can now be installed.

Category: security (moderate)
Bug References: 1218215, 1224392, 1225904, 1227318, 1227350
CVE References: CVE-2023-51385, CVE-2024-39894
Maintenance Incident: [SUSE:Maintenance:34681](https://smelt.suse.de/incident/34681/)
Sources used:
openSUSE Leap 15.6 (src):
 openssh-askpass-gnome-9.6p1-150600.6.6.1, openssh-9.6p1-150600.6.6.1
Basesystem Module 15-SP6 (src):
 openssh-9.6p1-150600.6.6.1
Desktop Applications Module 15-SP6 (src):
 openssh-askpass-gnome-9.6p1-150600.6.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.