From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 487C1138350 for ; Sun, 16 Feb 2020 19:05:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 46DD8E086D; Sun, 16 Feb 2020 19:05:36 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1F8D5E086D for ; Sun, 16 Feb 2020 19:05:36 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 940FF34E9E2 for ; Sun, 16 Feb 2020 19:05:34 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id B5EC810C for ; Sun, 16 Feb 2020 19:05:32 +0000 (UTC) From: "Patrick McLean" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Patrick McLean" Message-ID: <1581879925.bd05d99800a29426e1fbe5572aec1a887587c854.chutzpah@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-misc/openssh/openssh-8.2_p1-r1.ebuild X-VCS-Directories: net-misc/openssh/ X-VCS-Committer: chutzpah X-VCS-Committer-Name: Patrick McLean X-VCS-Revision: bd05d99800a29426e1fbe5572aec1a887587c854 X-VCS-Branch: master Date: Sun, 16 Feb 2020 19:05:32 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 32c3617a-f323-49b6-b951-e75ceb381e90 X-Archives-Hash: e6ce6f8e119078424aff6a70efd0facd commit: bd05d99800a29426e1fbe5572aec1a887587c854 Author: Patrick McLean gentoo org> AuthorDate: Sun Feb 16 19:05:00 2020 +0000 Commit: Patrick McLean gentoo org> CommitDate: Sun Feb 16 19:05:25 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd05d998 net-misc/openssh-8.2_p1-r1: Refactor upgrade warnings again Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Patrick McLean gentoo.org> net-misc/openssh/openssh-8.2_p1-r1.ebuild | 88 +++++++++++++++---------------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/net-misc/openssh/openssh-8.2_p1-r1.ebuild b/net-misc/openssh/openssh-8.2_p1-r1.ebuild index aa9c926b3f7..23a61c4f6d0 100644 --- a/net-misc/openssh/openssh-8.2_p1-r1.ebuild +++ b/net-misc/openssh/openssh-8.2_p1-r1.ebuild @@ -415,47 +415,53 @@ src_install() { } pkg_preinst() { - has_version "<${CATEGORY}/${PN}-5.8_p1" && show_ecdsa_warning=1 - has_version "<${CATEGORY}/${PN}-7.0_p1" && show_tcpd_warning=1 - has_version "<${CATEGORY}/${PN}-7.1_p1" && show_dss_warning=1 - has_version "<${CATEGORY}/${PN}-7.6_p1" && show_ssh1_warning=1 - has_version "<${CATEGORY}/${PN}-7.7_p1" && show_ldap_warning=1 - has_version "<${CATEGORY}/${PN}-8.2_p1" && show_restart_warning=1 + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then + show_ssl_warning=1 + fi } pkg_postinst() { - if [[ -n ${show_ecdsa_warning} ]]; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if [[ -n ${show_tcpd_warning} ]]; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if [[ -n ${show_dss_warning} ]]; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if [[ -n ${show_ssh1_warning} ]] ; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if [[ -n ${show_ldap_warning} ]]; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then + local old_ver + for old_ver in ${REPLACING_VERSIONS}; do + if ver_test "${old_ver}" -lt "5.8_p1"; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if ver_test "${old_ver}" -lt "7.0_p1"; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ver_test "${old_ver}" -lt "7.6_p1"; then + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." + elog "Furthermore, rsa keys with less than 1024 bits will be refused." + fi + if ver_test "${old_ver}" -lt "7.7_p1"; then + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" + elog "if you need to authenticate against LDAP." + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." + fi + if ver_test "${old_ver}" -lt "8.2_p1"; then + ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" + ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" + ewarn "connection is generally safe." + fi + done + + if [[ -n ${show_ssl_warning} ]]; then elog "Be aware that by disabling openssl support in openssh, the server and clients" elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" elog "and update all clients/servers that utilize them." @@ -472,10 +478,4 @@ pkg_postinst() { elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." elog "" fi - - if [[ -n ${show_restart_warning} ]]; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi }