commit: 8fcd1c8782510056ce32080039010e64d60f8e25
Author: Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Fri Feb 14 14:11:48 2025 +0000
Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org>
CommitDate: Sat Feb 22 09:38:18 2025 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fcd1c87
net-misc/openssh-contrib: Port to ver_replacing
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org>
.../openssh-contrib-9.7_p1-r4.ebuild | 95 +++++++++++-----------
1 file changed, 46 insertions(+), 49 deletions(-)
diff --git a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild
b/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild
index 6686d35c898f..858a106a682e 100644
--- a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild
+++ b/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
-inherit user-info optfeature flag-o-matic autotools pam systemd
toolchain-funcs verify-sig
+inherit user-info optfeature flag-o-matic autotools pam systemd
toolchain-funcs verify-sig eapi9-ver
# Make it more portable between straight releases
# and _p? releases.
@@ -465,53 +465,50 @@ pkg_postinst() {
# bug #139235
optfeature "x11 forwarding" x11-apps/xauth
- local old_ver
- for old_ver in ${REPLACING_VERSIONS}; do
- if ver_test "${old_ver}" -lt "5.8_p1"; then
- elog "Starting with openssh-5.8p1, the server will
default to a newer key"
- elog "algorithm (ECDSA). You are encouraged to
manually update your stored"
- elog "keys list as servers update theirs. See
ssh-keyscan(1) for more info."
- fi
- if ver_test "${old_ver}" -lt "7.0_p1"; then
- elog "Starting with openssh-6.7, support for USE=tcpd
has been dropped by upstream."
- elog "Make sure to update any configs that you might
have. Note that xinetd might"
- elog "be an alternative for you as it supports
USE=tcpd."
- fi
- if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
- elog "Starting with openssh-7.0, support for ssh-dss
keys were disabled due to their"
- elog "weak sizes. If you rely on these key types, you
can re-enable the key types by"
- elog "adding to your sshd_config or ~/.ssh/config
files:"
- elog " PubkeyAcceptedKeyTypes=+ssh-dss"
- elog "You should however generate new keys using rsa or
ed25519."
-
- elog "Starting with openssh-7.0, the default for
PermitRootLogin changed from 'yes'"
- elog "to 'prohibit-password'. That means password auth
for root users no longer works"
- elog "out of the box. If you need this, please update
your sshd_config explicitly."
- fi
- if ver_test "${old_ver}" -lt "7.6_p1"; then
- elog "Starting with openssh-7.6p1, openssh upstream has
removed ssh1 support entirely."
- elog "Furthermore, rsa keys with less than 1024 bits
will be refused."
- fi
- if ver_test "${old_ver}" -lt "7.7_p1"; then
- elog "Starting with openssh-7.7p1, we no longer patch
openssh to provide LDAP functionality."
- elog "Install sys-auth/ssh-ldap-pubkey and use
OpenSSH's \"AuthorizedKeysCommand\" option"
- elog "if you need to authenticate against LDAP."
- elog "See
https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
- fi
- if ver_test "${old_ver}" -lt "8.2_p1"; then
- ewarn "After upgrading to openssh-8.2p1 please restart
sshd, otherwise you"
- ewarn "will not be able to establish new sessions.
Restarting sshd over a ssh"
- ewarn "connection is generally safe."
- fi
- if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted;
then
- ewarn "From openssh-9.2_p1-r1 the supplied systemd unit
file defaults to"
- ewarn "'Restart=on-failure', which causes the service
to automatically restart if it"
- ewarn "terminates with an unclean exit code or signal.
This feature is useful for most users,"
- ewarn "but it can increase the vulnerability of the
system in the event of a future exploit."
- ewarn "If you have a web-facing setup or are concerned
about security, it is recommended to"
- ewarn "set 'Restart=no' in your sshd unit file."
- fi
- done
+ if ver_replacing -lt "5.8_p1"; then
+ elog "Starting with openssh-5.8p1, the server will default to a
newer key"
+ elog "algorithm (ECDSA). You are encouraged to manually update
your stored"
+ elog "keys list as servers update theirs. See ssh-keyscan(1)
for more info."
+ fi
+ if ver_replacing -lt "7.0_p1"; then
+ elog "Starting with openssh-6.7, support for USE=tcpd has been
dropped by upstream."
+ elog "Make sure to update any configs that you might have.
Note that xinetd might"
+ elog "be an alternative for you as it supports USE=tcpd."
+ fi
+ if ver_replacing -lt "7.1_p1"; then #557388 #555518
+ elog "Starting with openssh-7.0, support for ssh-dss keys were
disabled due to their"
+ elog "weak sizes. If you rely on these key types, you can
re-enable the key types by"
+ elog "adding to your sshd_config or ~/.ssh/config files:"
+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
+ elog "You should however generate new keys using rsa or
ed25519."
+
+ elog "Starting with openssh-7.0, the default for
PermitRootLogin changed from 'yes'"
+ elog "to 'prohibit-password'. That means password auth for
root users no longer works"
+ elog "out of the box. If you need this, please update your
sshd_config explicitly."
+ fi
+ if ver_replacing -lt "7.6_p1"; then
+ elog "Starting with openssh-7.6p1, openssh upstream has removed
ssh1 support entirely."
+ elog "Furthermore, rsa keys with less than 1024 bits will be
refused."
+ fi
+ if ver_replacing -lt "7.7_p1"; then
+ elog "Starting with openssh-7.7p1, we no longer patch openssh
to provide LDAP functionality."
+ elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's
\"AuthorizedKeysCommand\" option"
+ elog "if you need to authenticate against LDAP."
+ elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for
more details."
+ fi
+ if ver_replacing -lt "8.2_p1"; then
+ ewarn "After upgrading to openssh-8.2p1 please restart sshd,
otherwise you"
+ ewarn "will not be able to establish new sessions. Restarting
sshd over a ssh"
+ ewarn "connection is generally safe."
+ fi
+ if ver_replacing -lt "9.2_p1-r1" && systemd_is_booted; then
+ ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file
defaults to"
+ ewarn "'Restart=on-failure', which causes the service to
automatically restart if it"
+ ewarn "terminates with an unclean exit code or signal. This
feature is useful for most users,"
+ ewarn "but it can increase the vulnerability of the system in
the event of a future exploit."
+ ewarn "If you have a web-facing setup or are concerned about
security, it is recommended to"
+ ewarn "set 'Restart=no' in your sshd unit file."
+ fi
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh,
the server and clients"
