[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/ - gentoo-commits

From:	Patrick McLean <chutzpah@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/
Date:	Sun, 16 Feb 2020 19:05:37
Message-Id:	`1581879925.bd05d99800a29426e1fbe5572aec1a887587c854.chutzpah@gentoo`

1

commit:     bd05d99800a29426e1fbe5572aec1a887587c854

2

Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

3

AuthorDate: Sun Feb 16 19:05:00 2020 +0000

4

Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

5

CommitDate: Sun Feb 16 19:05:25 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd05d998

7

8

net-misc/openssh-8.2_p1-r1: Refactor upgrade warnings again

9

10

Package-Manager: Portage-2.3.89, Repoman-2.3.20

11

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

12

13

 net-misc/openssh/openssh-8.2_p1-r1.ebuild | 88 +++++++++++++++----------------

14

 1 file changed, 44 insertions(+), 44 deletions(-)

15

16

diff --git a/net-misc/openssh/openssh-8.2_p1-r1.ebuild b/net-misc/openssh/openssh-8.2_p1-r1.ebuild

17

index aa9c926b3f7..23a61c4f6d0 100644

18

--- a/net-misc/openssh/openssh-8.2_p1-r1.ebuild

19

+++ b/net-misc/openssh/openssh-8.2_p1-r1.ebuild

20

@@ -415,47 +415,53 @@ src_install() {

21

}

22

23

 pkg_preinst() {

24

-	has_version "<${CATEGORY}/${PN}-5.8_p1" && show_ecdsa_warning=1

25

-	has_version "<${CATEGORY}/${PN}-7.0_p1" && show_tcpd_warning=1

26

-	has_version "<${CATEGORY}/${PN}-7.1_p1" && show_dss_warning=1

27

-	has_version "<${CATEGORY}/${PN}-7.6_p1" && show_ssh1_warning=1

28

-	has_version "<${CATEGORY}/${PN}-7.7_p1" && show_ldap_warning=1

29

-	has_version "<${CATEGORY}/${PN}-8.2_p1" && show_restart_warning=1

30

+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then

31

+		show_ssl_warning=1

32

+	fi

33

}

34

35

 pkg_postinst() {

36

-	if [[ -n ${show_ecdsa_warning} ]]; then

37

-		elog "Starting with openssh-5.8p1, the server will default to a newer key"

38

-		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"

39

-		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."

40

-	fi

41

-	if [[ -n ${show_tcpd_warning} ]]; then

42

-		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."

43

-		elog "Make sure to update any configs that you might have.  Note that xinetd might"

44

-		elog "be an alternative for you as it supports USE=tcpd."

45

-	fi

46

-	if [[ -n ${show_dss_warning} ]]; then #557388 #555518

47

-		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"

48

-		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"

49

-		elog "adding to your sshd_config or ~/.ssh/config files:"

50

-		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"

51

-		elog "You should however generate new keys using rsa or ed25519."

52

-

53

-		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"

54

-		elog "to 'prohibit-password'.  That means password auth for root users no longer works"

55

-		elog "out of the box.  If you need this, please update your sshd_config explicitly."

56

-	fi

57

-	if [[ -n ${show_ssh1_warning} ]] ; then

58

-		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."

59

-		elog "Furthermore, rsa keys with less than 1024 bits will be refused."

60

-	fi

61

-	if [[ -n ${show_ldap_warning} ]]; then

62

-		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."

63

-		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"

64

-		elog "if you need to authenticate against LDAP."

65

-		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."

66

-	fi

67

-	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then

68

+	local old_ver

69

+	for old_ver in ${REPLACING_VERSIONS}; do

70

+		if ver_test "${old_ver}" -lt "5.8_p1"; then

71

+			elog "Starting with openssh-5.8p1, the server will default to a newer key"

72

+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"

73

+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."

74

+		fi

75

+		if ver_test "${old_ver}" -lt "7.0_p1"; then

76

+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."

77

+			elog "Make sure to update any configs that you might have.  Note that xinetd might"

78

+			elog "be an alternative for you as it supports USE=tcpd."

79

+		fi

80

+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518

81

+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"

82

+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"

83

+			elog "adding to your sshd_config or ~/.ssh/config files:"

84

+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"

85

+			elog "You should however generate new keys using rsa or ed25519."

86

+

87

+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"

88

+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"

89

+			elog "out of the box.  If you need this, please update your sshd_config explicitly."

90

+		fi

91

+		if ver_test "${old_ver}" -lt "7.6_p1"; then

92

+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."

93

+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."

94

+		fi

95

+		if ver_test "${old_ver}" -lt "7.7_p1"; then

96

+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."

97

+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"

98

+			elog "if you need to authenticate against LDAP."

99

+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."

100

+		fi

101

+		if ver_test "${old_ver}" -lt "8.2_p1"; then

102

+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"

103

+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"

104

+			ewarn "connection is generally safe."

105

+		fi

106

+	done

107

+

108

+	if [[ -n ${show_ssl_warning} ]]; then

109

 		elog "Be aware that by disabling openssl support in openssh, the server and clients"

110

 		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"

111

 		elog "and update all clients/servers that utilize them."

112

@@ -472,10 +478,4 @@ pkg_postinst() {

113

 		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."

114

 		elog ""

115

fi

116

-

117

-	if [[ -n ${show_restart_warning} ]]; then

118

-		ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"

119

-		ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"

120

-		ewarn "connection is generally safe."

121

-	fi

122

}

1	commit: bd05d99800a29426e1fbe5572aec1a887587c854
2	Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
3	AuthorDate: Sun Feb 16 19:05:00 2020 +0000
4	Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
5	CommitDate: Sun Feb 16 19:05:25 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd05d998
7
8	net-misc/openssh-8.2_p1-r1: Refactor upgrade warnings again
9
10	Package-Manager: Portage-2.3.89, Repoman-2.3.20
11	Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>
12
13	net-misc/openssh/openssh-8.2_p1-r1.ebuild \| 88 +++++++++++++++----------------
14	1 file changed, 44 insertions(+), 44 deletions(-)
15
16	diff --git a/net-misc/openssh/openssh-8.2_p1-r1.ebuild b/net-misc/openssh/openssh-8.2_p1-r1.ebuild
17	index aa9c926b3f7..23a61c4f6d0 100644
18	--- a/net-misc/openssh/openssh-8.2_p1-r1.ebuild
19	+++ b/net-misc/openssh/openssh-8.2_p1-r1.ebuild
20	@@ -415,47 +415,53 @@ src_install() {
21	}
22
23	pkg_preinst() {
24	- has_version "<${CATEGORY}/${PN}-5.8_p1" && show_ecdsa_warning=1
25	- has_version "<${CATEGORY}/${PN}-7.0_p1" && show_tcpd_warning=1
26	- has_version "<${CATEGORY}/${PN}-7.1_p1" && show_dss_warning=1
27	- has_version "<${CATEGORY}/${PN}-7.6_p1" && show_ssh1_warning=1
28	- has_version "<${CATEGORY}/${PN}-7.7_p1" && show_ldap_warning=1
29	- has_version "<${CATEGORY}/${PN}-8.2_p1" && show_restart_warning=1
30	+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
31	+ show_ssl_warning=1
32	+ fi
33	}
34
35	pkg_postinst() {
36	- if [[ -n ${show_ecdsa_warning} ]]; then
37	- elog "Starting with openssh-5.8p1, the server will default to a newer key"
38	- elog "algorithm (ECDSA). You are encouraged to manually update your stored"
39	- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
40	- fi
41	- if [[ -n ${show_tcpd_warning} ]]; then
42	- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
43	- elog "Make sure to update any configs that you might have. Note that xinetd might"
44	- elog "be an alternative for you as it supports USE=tcpd."
45	- fi
46	- if [[ -n ${show_dss_warning} ]]; then #557388 #555518
47	- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
48	- elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
49	- elog "adding to your sshd_config or ~/.ssh/config files:"
50	- elog " PubkeyAcceptedKeyTypes=+ssh-dss"
51	- elog "You should however generate new keys using rsa or ed25519."
52	-
53	- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
54	- elog "to 'prohibit-password'. That means password auth for root users no longer works"
55	- elog "out of the box. If you need this, please update your sshd_config explicitly."
56	- fi
57	- if [[ -n ${show_ssh1_warning} ]] ; then
58	- elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
59	- elog "Furthermore, rsa keys with less than 1024 bits will be refused."
60	- fi
61	- if [[ -n ${show_ldap_warning} ]]; then
62	- elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
63	- elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
64	- elog "if you need to authenticate against LDAP."
65	- elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
66	- fi
67	- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
68	+ local old_ver
69	+ for old_ver in ${REPLACING_VERSIONS}; do
70	+ if ver_test "${old_ver}" -lt "5.8_p1"; then
71	+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
72	+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
73	+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
74	+ fi
75	+ if ver_test "${old_ver}" -lt "7.0_p1"; then
76	+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
77	+ elog "Make sure to update any configs that you might have. Note that xinetd might"
78	+ elog "be an alternative for you as it supports USE=tcpd."
79	+ fi
80	+ if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
81	+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
82	+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
83	+ elog "adding to your sshd_config or ~/.ssh/config files:"
84	+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
85	+ elog "You should however generate new keys using rsa or ed25519."
86	+
87	+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
88	+ elog "to 'prohibit-password'. That means password auth for root users no longer works"
89	+ elog "out of the box. If you need this, please update your sshd_config explicitly."
90	+ fi
91	+ if ver_test "${old_ver}" -lt "7.6_p1"; then
92	+ elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
93	+ elog "Furthermore, rsa keys with less than 1024 bits will be refused."
94	+ fi
95	+ if ver_test "${old_ver}" -lt "7.7_p1"; then
96	+ elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
97	+ elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
98	+ elog "if you need to authenticate against LDAP."
99	+ elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
100	+ fi
101	+ if ver_test "${old_ver}" -lt "8.2_p1"; then
102	+ ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
103	+ ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
104	+ ewarn "connection is generally safe."
105	+ fi
106	+ done
107	+
108	+ if [[ -n ${show_ssl_warning} ]]; then
109	elog "Be aware that by disabling openssl support in openssh, the server and clients"
110	elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
111	elog "and update all clients/servers that utilize them."
112	@@ -472,10 +478,4 @@ pkg_postinst() {
113	elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
114	elog ""
115	fi
116	-
117	- if [[ -n ${show_restart_warning} ]]; then
118	- ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
119	- ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
120	- ewarn "connection is generally safe."
121	- fi
122	}

Gentoo Archives: gentoo-commits