1 |
commit: a225fe10e4c21edd8915543c2a4318b00d2144c6 |
2 |
Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Feb 16 18:29:52 2020 +0000 |
4 |
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 16 18:30:41 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a225fe10 |
7 |
|
8 |
net-misc/openssh-8.1_p1-r2: Disable X509 and security-key (bug #709808) |
9 |
|
10 |
This also makes the warning about restarting sshd actually show when it |
11 |
is intended to. This refactors all version warnings by using a flag |
12 |
variable set in pkg_preinst to decide whether to show the warning in |
13 |
pkg_postinst. |
14 |
|
15 |
Closes: https://bugs.gentoo.org/709808 |
16 |
Bug: https://bugs.gentoo.org/709748 |
17 |
Package-Manager: Portage-2.3.89, Repoman-2.3.20 |
18 |
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org> |
19 |
|
20 |
net-misc/openssh/openssh-8.2_p1-r1.ebuild | 23 ++++++++++++++++------- |
21 |
1 file changed, 16 insertions(+), 7 deletions(-) |
22 |
|
23 |
diff --git a/net-misc/openssh/openssh-8.2_p1-r1.ebuild b/net-misc/openssh/openssh-8.2_p1-r1.ebuild |
24 |
index 8f034074203..aa9c926b3f7 100644 |
25 |
--- a/net-misc/openssh/openssh-8.2_p1-r1.ebuild |
26 |
+++ b/net-misc/openssh/openssh-8.2_p1-r1.ebuild |
27 |
@@ -41,7 +41,7 @@ REQUIRED_USE=" |
28 |
ldns? ( ssl ) |
29 |
pie? ( !static ) |
30 |
static? ( !kerberos !pam ) |
31 |
- X509? ( !sctp ssl ) |
32 |
+ X509? ( !sctp !security-key ssl ) |
33 |
test? ( ssl ) |
34 |
" |
35 |
|
36 |
@@ -414,18 +414,27 @@ src_install() { |
37 |
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' |
38 |
} |
39 |
|
40 |
+pkg_preinst() { |
41 |
+ has_version "<${CATEGORY}/${PN}-5.8_p1" && show_ecdsa_warning=1 |
42 |
+ has_version "<${CATEGORY}/${PN}-7.0_p1" && show_tcpd_warning=1 |
43 |
+ has_version "<${CATEGORY}/${PN}-7.1_p1" && show_dss_warning=1 |
44 |
+ has_version "<${CATEGORY}/${PN}-7.6_p1" && show_ssh1_warning=1 |
45 |
+ has_version "<${CATEGORY}/${PN}-7.7_p1" && show_ldap_warning=1 |
46 |
+ has_version "<${CATEGORY}/${PN}-8.2_p1" && show_restart_warning=1 |
47 |
+} |
48 |
+ |
49 |
pkg_postinst() { |
50 |
- if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then |
51 |
+ if [[ -n ${show_ecdsa_warning} ]]; then |
52 |
elog "Starting with openssh-5.8p1, the server will default to a newer key" |
53 |
elog "algorithm (ECDSA). You are encouraged to manually update your stored" |
54 |
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." |
55 |
fi |
56 |
- if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then |
57 |
+ if [[ -n ${show_tcpd_warning} ]]; then |
58 |
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." |
59 |
elog "Make sure to update any configs that you might have. Note that xinetd might" |
60 |
elog "be an alternative for you as it supports USE=tcpd." |
61 |
fi |
62 |
- if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 |
63 |
+ if [[ -n ${show_dss_warning} ]]; then #557388 #555518 |
64 |
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" |
65 |
elog "weak sizes. If you rely on these key types, you can re-enable the key types by" |
66 |
elog "adding to your sshd_config or ~/.ssh/config files:" |
67 |
@@ -436,11 +445,11 @@ pkg_postinst() { |
68 |
elog "to 'prohibit-password'. That means password auth for root users no longer works" |
69 |
elog "out of the box. If you need this, please update your sshd_config explicitly." |
70 |
fi |
71 |
- if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then |
72 |
+ if [[ -n ${show_ssh1_warning} ]] ; then |
73 |
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." |
74 |
elog "Furthermore, rsa keys with less than 1024 bits will be refused." |
75 |
fi |
76 |
- if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then |
77 |
+ if [[ -n ${show_ldap_warning} ]]; then |
78 |
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." |
79 |
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" |
80 |
elog "if you need to authenticate against LDAP." |
81 |
@@ -464,7 +473,7 @@ pkg_postinst() { |
82 |
elog "" |
83 |
fi |
84 |
|
85 |
- if has_version "<${CATEGORY}/${PN}-8.2_p1"; then |
86 |
+ if [[ -n ${show_restart_warning} ]]; then |
87 |
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" |
88 |
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" |
89 |
ewarn "connection is generally safe." |