1 |
commit: bd05d99800a29426e1fbe5572aec1a887587c854 |
2 |
Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Feb 16 19:05:00 2020 +0000 |
4 |
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 16 19:05:25 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd05d998 |
7 |
|
8 |
net-misc/openssh-8.2_p1-r1: Refactor upgrade warnings again |
9 |
|
10 |
Package-Manager: Portage-2.3.89, Repoman-2.3.20 |
11 |
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org> |
12 |
|
13 |
net-misc/openssh/openssh-8.2_p1-r1.ebuild | 88 +++++++++++++++---------------- |
14 |
1 file changed, 44 insertions(+), 44 deletions(-) |
15 |
|
16 |
diff --git a/net-misc/openssh/openssh-8.2_p1-r1.ebuild b/net-misc/openssh/openssh-8.2_p1-r1.ebuild |
17 |
index aa9c926b3f7..23a61c4f6d0 100644 |
18 |
--- a/net-misc/openssh/openssh-8.2_p1-r1.ebuild |
19 |
+++ b/net-misc/openssh/openssh-8.2_p1-r1.ebuild |
20 |
@@ -415,47 +415,53 @@ src_install() { |
21 |
} |
22 |
|
23 |
pkg_preinst() { |
24 |
- has_version "<${CATEGORY}/${PN}-5.8_p1" && show_ecdsa_warning=1 |
25 |
- has_version "<${CATEGORY}/${PN}-7.0_p1" && show_tcpd_warning=1 |
26 |
- has_version "<${CATEGORY}/${PN}-7.1_p1" && show_dss_warning=1 |
27 |
- has_version "<${CATEGORY}/${PN}-7.6_p1" && show_ssh1_warning=1 |
28 |
- has_version "<${CATEGORY}/${PN}-7.7_p1" && show_ldap_warning=1 |
29 |
- has_version "<${CATEGORY}/${PN}-8.2_p1" && show_restart_warning=1 |
30 |
+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then |
31 |
+ show_ssl_warning=1 |
32 |
+ fi |
33 |
} |
34 |
|
35 |
pkg_postinst() { |
36 |
- if [[ -n ${show_ecdsa_warning} ]]; then |
37 |
- elog "Starting with openssh-5.8p1, the server will default to a newer key" |
38 |
- elog "algorithm (ECDSA). You are encouraged to manually update your stored" |
39 |
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." |
40 |
- fi |
41 |
- if [[ -n ${show_tcpd_warning} ]]; then |
42 |
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." |
43 |
- elog "Make sure to update any configs that you might have. Note that xinetd might" |
44 |
- elog "be an alternative for you as it supports USE=tcpd." |
45 |
- fi |
46 |
- if [[ -n ${show_dss_warning} ]]; then #557388 #555518 |
47 |
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" |
48 |
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by" |
49 |
- elog "adding to your sshd_config or ~/.ssh/config files:" |
50 |
- elog " PubkeyAcceptedKeyTypes=+ssh-dss" |
51 |
- elog "You should however generate new keys using rsa or ed25519." |
52 |
- |
53 |
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" |
54 |
- elog "to 'prohibit-password'. That means password auth for root users no longer works" |
55 |
- elog "out of the box. If you need this, please update your sshd_config explicitly." |
56 |
- fi |
57 |
- if [[ -n ${show_ssh1_warning} ]] ; then |
58 |
- elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." |
59 |
- elog "Furthermore, rsa keys with less than 1024 bits will be refused." |
60 |
- fi |
61 |
- if [[ -n ${show_ldap_warning} ]]; then |
62 |
- elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." |
63 |
- elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" |
64 |
- elog "if you need to authenticate against LDAP." |
65 |
- elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." |
66 |
- fi |
67 |
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then |
68 |
+ local old_ver |
69 |
+ for old_ver in ${REPLACING_VERSIONS}; do |
70 |
+ if ver_test "${old_ver}" -lt "5.8_p1"; then |
71 |
+ elog "Starting with openssh-5.8p1, the server will default to a newer key" |
72 |
+ elog "algorithm (ECDSA). You are encouraged to manually update your stored" |
73 |
+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." |
74 |
+ fi |
75 |
+ if ver_test "${old_ver}" -lt "7.0_p1"; then |
76 |
+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." |
77 |
+ elog "Make sure to update any configs that you might have. Note that xinetd might" |
78 |
+ elog "be an alternative for you as it supports USE=tcpd." |
79 |
+ fi |
80 |
+ if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 |
81 |
+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" |
82 |
+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by" |
83 |
+ elog "adding to your sshd_config or ~/.ssh/config files:" |
84 |
+ elog " PubkeyAcceptedKeyTypes=+ssh-dss" |
85 |
+ elog "You should however generate new keys using rsa or ed25519." |
86 |
+ |
87 |
+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" |
88 |
+ elog "to 'prohibit-password'. That means password auth for root users no longer works" |
89 |
+ elog "out of the box. If you need this, please update your sshd_config explicitly." |
90 |
+ fi |
91 |
+ if ver_test "${old_ver}" -lt "7.6_p1"; then |
92 |
+ elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." |
93 |
+ elog "Furthermore, rsa keys with less than 1024 bits will be refused." |
94 |
+ fi |
95 |
+ if ver_test "${old_ver}" -lt "7.7_p1"; then |
96 |
+ elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." |
97 |
+ elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" |
98 |
+ elog "if you need to authenticate against LDAP." |
99 |
+ elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." |
100 |
+ fi |
101 |
+ if ver_test "${old_ver}" -lt "8.2_p1"; then |
102 |
+ ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" |
103 |
+ ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" |
104 |
+ ewarn "connection is generally safe." |
105 |
+ fi |
106 |
+ done |
107 |
+ |
108 |
+ if [[ -n ${show_ssl_warning} ]]; then |
109 |
elog "Be aware that by disabling openssl support in openssh, the server and clients" |
110 |
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" |
111 |
elog "and update all clients/servers that utilize them." |
112 |
@@ -472,10 +478,4 @@ pkg_postinst() { |
113 |
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." |
114 |
elog "" |
115 |
fi |
116 |
- |
117 |
- if [[ -n ${show_restart_warning} ]]; then |
118 |
- ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" |
119 |
- ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" |
120 |
- ewarn "connection is generally safe." |
121 |
- fi |
122 |
} |