From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D652A138350 for ; Sun, 16 Feb 2020 18:30:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 12524E08F6; Sun, 16 Feb 2020 18:30:59 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E0C72E08F6 for ; Sun, 16 Feb 2020 18:30:58 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E15A934EBB1 for ; Sun, 16 Feb 2020 18:30:56 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D8DEA10C for ; Sun, 16 Feb 2020 18:30:54 +0000 (UTC) From: "Patrick McLean" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Patrick McLean" Message-ID: <1581877841.a225fe10e4c21edd8915543c2a4318b00d2144c6.chutzpah@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-misc/openssh/openssh-8.2_p1-r1.ebuild X-VCS-Directories: net-misc/openssh/ X-VCS-Committer: chutzpah X-VCS-Committer-Name: Patrick McLean X-VCS-Revision: a225fe10e4c21edd8915543c2a4318b00d2144c6 X-VCS-Branch: master Date: Sun, 16 Feb 2020 18:30:54 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: ca736540-3b7f-4466-97b8-9591c990ad19 X-Archives-Hash: 975efcd67d1528ea428cdd0237c3b69e commit: a225fe10e4c21edd8915543c2a4318b00d2144c6 Author: Patrick McLean gentoo org> AuthorDate: Sun Feb 16 18:29:52 2020 +0000 Commit: Patrick McLean gentoo org> CommitDate: Sun Feb 16 18:30:41 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a225fe10 net-misc/openssh-8.1_p1-r2: Disable X509 and security-key (bug #709808) This also makes the warning about restarting sshd actually show when it is intended to. This refactors all version warnings by using a flag variable set in pkg_preinst to decide whether to show the warning in pkg_postinst. Closes: https://bugs.gentoo.org/709808 Bug: https://bugs.gentoo.org/709748 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Patrick McLean gentoo.org> net-misc/openssh/openssh-8.2_p1-r1.ebuild | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/net-misc/openssh/openssh-8.2_p1-r1.ebuild b/net-misc/openssh/openssh-8.2_p1-r1.ebuild index 8f034074203..aa9c926b3f7 100644 --- a/net-misc/openssh/openssh-8.2_p1-r1.ebuild +++ b/net-misc/openssh/openssh-8.2_p1-r1.ebuild @@ -41,7 +41,7 @@ REQUIRED_USE=" ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) - X509? ( !sctp ssl ) + X509? ( !sctp !security-key ssl ) test? ( ssl ) " @@ -414,18 +414,27 @@ src_install() { systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' } +pkg_preinst() { + has_version "<${CATEGORY}/${PN}-5.8_p1" && show_ecdsa_warning=1 + has_version "<${CATEGORY}/${PN}-7.0_p1" && show_tcpd_warning=1 + has_version "<${CATEGORY}/${PN}-7.1_p1" && show_dss_warning=1 + has_version "<${CATEGORY}/${PN}-7.6_p1" && show_ssh1_warning=1 + has_version "<${CATEGORY}/${PN}-7.7_p1" && show_ldap_warning=1 + has_version "<${CATEGORY}/${PN}-8.2_p1" && show_restart_warning=1 +} + pkg_postinst() { - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + if [[ -n ${show_ecdsa_warning} ]]; then elog "Starting with openssh-5.8p1, the server will default to a newer key" elog "algorithm (ECDSA). You are encouraged to manually update your stored" elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." fi - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then + if [[ -n ${show_tcpd_warning} ]]; then elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." elog "Make sure to update any configs that you might have. Note that xinetd might" elog "be an alternative for you as it supports USE=tcpd." fi - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 + if [[ -n ${show_dss_warning} ]]; then #557388 #555518 elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" elog "weak sizes. If you rely on these key types, you can re-enable the key types by" elog "adding to your sshd_config or ~/.ssh/config files:" @@ -436,11 +445,11 @@ pkg_postinst() { elog "to 'prohibit-password'. That means password auth for root users no longer works" elog "out of the box. If you need this, please update your sshd_config explicitly." fi - if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then + if [[ -n ${show_ssh1_warning} ]] ; then elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." elog "Furthermore, rsa keys with less than 1024 bits will be refused." fi - if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then + if [[ -n ${show_ldap_warning} ]]; then elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" elog "if you need to authenticate against LDAP." @@ -464,7 +473,7 @@ pkg_postinst() { elog "" fi - if has_version "<${CATEGORY}/${PN}-8.2_p1"; then + if [[ -n ${show_restart_warning} ]]; then ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" ewarn "connection is generally safe."