commit: bd05d99800a29426e1fbe5572aec1a887587c854
Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 16 19:05:00 2020 +0000
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
CommitDate: Sun Feb 16 19:05:25 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd05d998
net-misc/openssh-8.2_p1-r1: Refactor upgrade warnings again
Package-Manager: Portage-2.3.89, Repoman-2.3.20
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>
net-misc/openssh/openssh-8.2_p1-r1.ebuild | 88 +++++++++++++++----------------
1 file changed, 44 insertions(+), 44 deletions(-)
diff --git a/net-misc/openssh/openssh-8.2_p1-r1.ebuild
b/net-misc/openssh/openssh-8.2_p1-r1.ebuild
index aa9c926b3f7..23a61c4f6d0 100644
--- a/net-misc/openssh/openssh-8.2_p1-r1.ebuild
+++ b/net-misc/openssh/openssh-8.2_p1-r1.ebuild
@@ -415,47 +415,53 @@ src_install() {
}
pkg_preinst() {
- has_version "<${CATEGORY}/${PN}-5.8_p1" && show_ecdsa_warning=1
- has_version "<${CATEGORY}/${PN}-7.0_p1" && show_tcpd_warning=1
- has_version "<${CATEGORY}/${PN}-7.1_p1" && show_dss_warning=1
- has_version "<${CATEGORY}/${PN}-7.6_p1" && show_ssh1_warning=1
- has_version "<${CATEGORY}/${PN}-7.7_p1" && show_ldap_warning=1
- has_version "<${CATEGORY}/${PN}-8.2_p1" && show_restart_warning=1
+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+ show_ssl_warning=1
+ fi
}
pkg_postinst() {
- if [[ -n ${show_ecdsa_warning} ]]; then
- elog "Starting with openssh-5.8p1, the server will default to a
newer key"
- elog "algorithm (ECDSA). You are encouraged to manually update
your stored"
- elog "keys list as servers update theirs. See ssh-keyscan(1)
for more info."
- fi
- if [[ -n ${show_tcpd_warning} ]]; then
- elog "Starting with openssh-6.7, support for USE=tcpd has been
dropped by upstream."
- elog "Make sure to update any configs that you might have.
Note that xinetd might"
- elog "be an alternative for you as it supports USE=tcpd."
- fi
- if [[ -n ${show_dss_warning} ]]; then #557388 #555518
- elog "Starting with openssh-7.0, support for ssh-dss keys were
disabled due to their"
- elog "weak sizes. If you rely on these key types, you can
re-enable the key types by"
- elog "adding to your sshd_config or ~/.ssh/config files:"
- elog " PubkeyAcceptedKeyTypes=+ssh-dss"
- elog "You should however generate new keys using rsa or
ed25519."
-
- elog "Starting with openssh-7.0, the default for
PermitRootLogin changed from 'yes'"
- elog "to 'prohibit-password'. That means password auth for
root users no longer works"
- elog "out of the box. If you need this, please update your
sshd_config explicitly."
- fi
- if [[ -n ${show_ssh1_warning} ]] ; then
- elog "Starting with openssh-7.6p1, openssh upstream has removed
ssh1 support entirely."
- elog "Furthermore, rsa keys with less than 1024 bits will be
refused."
- fi
- if [[ -n ${show_ldap_warning} ]]; then
- elog "Starting with openssh-7.7p1, we no longer patch openssh
to provide LDAP functionality."
- elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's
\"AuthorizedKeysCommand\" option"
- elog "if you need to authenticate against LDAP."
- elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for
more details."
- fi
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+ local old_ver
+ for old_ver in ${REPLACING_VERSIONS}; do
+ if ver_test "${old_ver}" -lt "5.8_p1"; then
+ elog "Starting with openssh-5.8p1, the server will
default to a newer key"
+ elog "algorithm (ECDSA). You are encouraged to
manually update your stored"
+ elog "keys list as servers update theirs. See
ssh-keyscan(1) for more info."
+ fi
+ if ver_test "${old_ver}" -lt "7.0_p1"; then
+ elog "Starting with openssh-6.7, support for USE=tcpd
has been dropped by upstream."
+ elog "Make sure to update any configs that you might
have. Note that xinetd might"
+ elog "be an alternative for you as it supports
USE=tcpd."
+ fi
+ if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+ elog "Starting with openssh-7.0, support for ssh-dss
keys were disabled due to their"
+ elog "weak sizes. If you rely on these key types, you
can re-enable the key types by"
+ elog "adding to your sshd_config or ~/.ssh/config
files:"
+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
+ elog "You should however generate new keys using rsa or
ed25519."
+
+ elog "Starting with openssh-7.0, the default for
PermitRootLogin changed from 'yes'"
+ elog "to 'prohibit-password'. That means password auth
for root users no longer works"
+ elog "out of the box. If you need this, please update
your sshd_config explicitly."
+ fi
+ if ver_test "${old_ver}" -lt "7.6_p1"; then
+ elog "Starting with openssh-7.6p1, openssh upstream has
removed ssh1 support entirely."
+ elog "Furthermore, rsa keys with less than 1024 bits
will be refused."
+ fi
+ if ver_test "${old_ver}" -lt "7.7_p1"; then
+ elog "Starting with openssh-7.7p1, we no longer patch
openssh to provide LDAP functionality."
+ elog "Install sys-auth/ssh-ldap-pubkey and use
OpenSSH's \"AuthorizedKeysCommand\" option"
+ elog "if you need to authenticate against LDAP."
+ elog "See
https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+ fi
+ if ver_test "${old_ver}" -lt "8.2_p1"; then
+ ewarn "After upgrading to openssh-8.2p1 please restart
sshd, otherwise you"
+ ewarn "will not be able to establish new sessions.
Restarting sshd over a ssh"
+ ewarn "connection is generally safe."
+ fi
+ done
+
+ if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh,
the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to
generate ed25519 keys"
elog "and update all clients/servers that utilize them."
@@ -472,10 +478,4 @@ pkg_postinst() {
elog "Otherwise you maybe unable to connect to this sshd using
any AES CTR cipher."
elog ""
fi
-
- if [[ -n ${show_restart_warning} ]]; then
- ewarn "After upgrading to openssh-8.2p1 please restart sshd,
otherwise you"
- ewarn "will not be able to establish new sessions. Restarting
sshd over a ssh"
- ewarn "connection is generally safe."
- fi
}
