[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/ - gentoo-commits

From:	Patrick McLean <chutzpah@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/
Date:	Sun, 16 Feb 2020 18:30:59
Message-Id:	`1581877841.a225fe10e4c21edd8915543c2a4318b00d2144c6.chutzpah@gentoo`

1

commit:     a225fe10e4c21edd8915543c2a4318b00d2144c6

2

Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

3

AuthorDate: Sun Feb 16 18:29:52 2020 +0000

4

Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

5

CommitDate: Sun Feb 16 18:30:41 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a225fe10

7

8

net-misc/openssh-8.1_p1-r2: Disable X509 and security-key (bug #709808)

9

10

This also makes the warning about restarting sshd actually show when it

11

is intended to. This refactors all version warnings by using a flag

12

variable set in pkg_preinst to decide whether to show the warning in

13

pkg_postinst.

14

15

Closes: https://bugs.gentoo.org/709808

16

Bug: https://bugs.gentoo.org/709748

17

Package-Manager: Portage-2.3.89, Repoman-2.3.20

18

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

19

20

 net-misc/openssh/openssh-8.2_p1-r1.ebuild | 23 ++++++++++++++++-------

21

 1 file changed, 16 insertions(+), 7 deletions(-)

22

23

diff --git a/net-misc/openssh/openssh-8.2_p1-r1.ebuild b/net-misc/openssh/openssh-8.2_p1-r1.ebuild

24

index 8f034074203..aa9c926b3f7 100644

25

--- a/net-misc/openssh/openssh-8.2_p1-r1.ebuild

26

+++ b/net-misc/openssh/openssh-8.2_p1-r1.ebuild

27

@@ -41,7 +41,7 @@ REQUIRED_USE="

28

 	ldns? ( ssl )

29

 	pie? ( !static )

30

 	static? ( !kerberos !pam )

31

-	X509? ( !sctp ssl )

32

+	X509? ( !sctp !security-key ssl )

33

 	test? ( ssl )

34

"

35

36

@@ -414,18 +414,27 @@ src_install() {

37

 	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'

38

}

39

40

+pkg_preinst() {

41

+	has_version "<${CATEGORY}/${PN}-5.8_p1" && show_ecdsa_warning=1

42

+	has_version "<${CATEGORY}/${PN}-7.0_p1" && show_tcpd_warning=1

43

+	has_version "<${CATEGORY}/${PN}-7.1_p1" && show_dss_warning=1

44

+	has_version "<${CATEGORY}/${PN}-7.6_p1" && show_ssh1_warning=1

45

+	has_version "<${CATEGORY}/${PN}-7.7_p1" && show_ldap_warning=1

46

+	has_version "<${CATEGORY}/${PN}-8.2_p1" && show_restart_warning=1

47

+}

48

+

49

 pkg_postinst() {

50

-	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then

51

+	if [[ -n ${show_ecdsa_warning} ]]; then

52

 		elog "Starting with openssh-5.8p1, the server will default to a newer key"

53

 		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"

54

 		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."

55

fi

56

-	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then

57

+	if [[ -n ${show_tcpd_warning} ]]; then

58

 		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."

59

 		elog "Make sure to update any configs that you might have.  Note that xinetd might"

60

 		elog "be an alternative for you as it supports USE=tcpd."

61

fi

62

-	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518

63

+	if [[ -n ${show_dss_warning} ]]; then #557388 #555518

64

 		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"

65

 		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"

66

 		elog "adding to your sshd_config or ~/.ssh/config files:"

67

@@ -436,11 +445,11 @@ pkg_postinst() {

68

 		elog "to 'prohibit-password'.  That means password auth for root users no longer works"

69

 		elog "out of the box.  If you need this, please update your sshd_config explicitly."

70

fi

71

-	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then

72

+	if [[ -n ${show_ssh1_warning} ]] ; then

73

 		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."

74

 		elog "Furthermore, rsa keys with less than 1024 bits will be refused."

75

fi

76

-	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then

77

+	if [[ -n ${show_ldap_warning} ]]; then

78

 		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."

79

 		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"

80

 		elog "if you need to authenticate against LDAP."

81

@@ -464,7 +473,7 @@ pkg_postinst() {

82

 		elog ""

83

fi

84

85

-	if has_version "<${CATEGORY}/${PN}-8.2_p1"; then

86

+	if [[ -n ${show_restart_warning} ]]; then

87

 		ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"

88

 		ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"

89

 		ewarn "connection is generally safe."

1	commit: a225fe10e4c21edd8915543c2a4318b00d2144c6
2	Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
3	AuthorDate: Sun Feb 16 18:29:52 2020 +0000
4	Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
5	CommitDate: Sun Feb 16 18:30:41 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a225fe10
7
8	net-misc/openssh-8.1_p1-r2: Disable X509 and security-key (bug #709808)
9
10	This also makes the warning about restarting sshd actually show when it
11	is intended to. This refactors all version warnings by using a flag
12	variable set in pkg_preinst to decide whether to show the warning in
13	pkg_postinst.
14
15	Closes: https://bugs.gentoo.org/709808
16	Bug: https://bugs.gentoo.org/709748
17	Package-Manager: Portage-2.3.89, Repoman-2.3.20
18	Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>
19
20	net-misc/openssh/openssh-8.2_p1-r1.ebuild \| 23 ++++++++++++++++-------
21	1 file changed, 16 insertions(+), 7 deletions(-)
22
23	diff --git a/net-misc/openssh/openssh-8.2_p1-r1.ebuild b/net-misc/openssh/openssh-8.2_p1-r1.ebuild
24	index 8f034074203..aa9c926b3f7 100644
25	--- a/net-misc/openssh/openssh-8.2_p1-r1.ebuild
26	+++ b/net-misc/openssh/openssh-8.2_p1-r1.ebuild
27	@@ -41,7 +41,7 @@ REQUIRED_USE="
28	ldns? ( ssl )
29	pie? ( !static )
30	static? ( !kerberos !pam )
31	- X509? ( !sctp ssl )
32	+ X509? ( !sctp !security-key ssl )
33	test? ( ssl )
34	"
35
36	@@ -414,18 +414,27 @@ src_install() {
37	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
38	}
39
40	+pkg_preinst() {
41	+ has_version "<${CATEGORY}/${PN}-5.8_p1" && show_ecdsa_warning=1
42	+ has_version "<${CATEGORY}/${PN}-7.0_p1" && show_tcpd_warning=1
43	+ has_version "<${CATEGORY}/${PN}-7.1_p1" && show_dss_warning=1
44	+ has_version "<${CATEGORY}/${PN}-7.6_p1" && show_ssh1_warning=1
45	+ has_version "<${CATEGORY}/${PN}-7.7_p1" && show_ldap_warning=1
46	+ has_version "<${CATEGORY}/${PN}-8.2_p1" && show_restart_warning=1
47	+}
48	+
49	pkg_postinst() {
50	- if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
51	+ if [[ -n ${show_ecdsa_warning} ]]; then
52	elog "Starting with openssh-5.8p1, the server will default to a newer key"
53	elog "algorithm (ECDSA). You are encouraged to manually update your stored"
54	elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
55	fi
56	- if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
57	+ if [[ -n ${show_tcpd_warning} ]]; then
58	elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
59	elog "Make sure to update any configs that you might have. Note that xinetd might"
60	elog "be an alternative for you as it supports USE=tcpd."
61	fi
62	- if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
63	+ if [[ -n ${show_dss_warning} ]]; then #557388 #555518
64	elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
65	elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
66	elog "adding to your sshd_config or ~/.ssh/config files:"
67	@@ -436,11 +445,11 @@ pkg_postinst() {
68	elog "to 'prohibit-password'. That means password auth for root users no longer works"
69	elog "out of the box. If you need this, please update your sshd_config explicitly."
70	fi
71	- if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
72	+ if [[ -n ${show_ssh1_warning} ]] ; then
73	elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
74	elog "Furthermore, rsa keys with less than 1024 bits will be refused."
75	fi
76	- if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
77	+ if [[ -n ${show_ldap_warning} ]]; then
78	elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
79	elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
80	elog "if you need to authenticate against LDAP."
81	@@ -464,7 +473,7 @@ pkg_postinst() {
82	elog ""
83	fi
84
85	- if has_version "<${CATEGORY}/${PN}-8.2_p1"; then
86	+ if [[ -n ${show_restart_warning} ]]; then
87	ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
88	ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
89	ewarn "connection is generally safe."

Gentoo Archives: gentoo-commits