| 3 |
3 |
|
| 4 |
4 |
EAPI=8
|
| 5 |
5 |
|
|
6 |
# Remember to check the upstream release/stable branches for patches
|
|
7 |
# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2.
|
|
8 |
|
| 6 |
9 |
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc
|
| 7 |
|
inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig
|
|
10 |
inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig eapi9-ver
|
| 8 |
11 |
|
| 9 |
12 |
# Make it more portable between straight releases
|
| 10 |
13 |
# and _p? releases.
|
| ... | ... | |
| 79 |
82 |
"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
|
| 80 |
83 |
"${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch"
|
| 81 |
84 |
"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
|
| 82 |
|
"${FILESDIR}/${PN}-9.8_p1-musl-connect.patch"
|
| 83 |
|
"${FILESDIR}/${PN}-9.8_p1-inetd.patch"
|
|
85 |
# Backports from upstream release branch
|
|
86 |
#"${FILESDIR}/${PV}"
|
|
87 |
# Our own backports
|
|
88 |
"${FILESDIR}/${PN}-9.9_p1-x-forwarding-slow.patch"
|
| 84 |
89 |
)
|
| 85 |
90 |
|
| 86 |
91 |
pkg_pretend() {
|
| ... | ... | |
| 345 |
350 |
# bug #139235
|
| 346 |
351 |
optfeature "x11 forwarding" x11-apps/xauth
|
| 347 |
352 |
|
| 348 |
|
local old_ver
|
| 349 |
|
for old_ver in ${REPLACING_VERSIONS}; do
|
| 350 |
|
if ver_test "${old_ver}" -lt "5.8_p1"; then
|
| 351 |
|
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
| 352 |
|
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
| 353 |
|
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
| 354 |
|
fi
|
| 355 |
|
if ver_test "${old_ver}" -lt "7.0_p1"; then
|
| 356 |
|
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
| 357 |
|
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
| 358 |
|
elog "be an alternative for you as it supports USE=tcpd."
|
| 359 |
|
fi
|
| 360 |
|
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
|
| 361 |
|
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
| 362 |
|
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
| 363 |
|
elog "adding to your sshd_config or ~/.ssh/config files:"
|
| 364 |
|
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
| 365 |
|
elog "You should however generate new keys using rsa or ed25519."
|
| 366 |
|
|
| 367 |
|
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
| 368 |
|
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
| 369 |
|
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
| 370 |
|
fi
|
| 371 |
|
if ver_test "${old_ver}" -lt "7.6_p1"; then
|
| 372 |
|
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
| 373 |
|
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
| 374 |
|
fi
|
| 375 |
|
if ver_test "${old_ver}" -lt "7.7_p1"; then
|
| 376 |
|
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
| 377 |
|
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
| 378 |
|
elog "if you need to authenticate against LDAP."
|
| 379 |
|
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
| 380 |
|
fi
|
| 381 |
|
if ver_test "${old_ver}" -lt "8.2_p1"; then
|
| 382 |
|
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
| 383 |
|
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
| 384 |
|
ewarn "connection is generally safe."
|
| 385 |
|
fi
|
| 386 |
|
if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
|
| 387 |
|
ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
|
| 388 |
|
ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
|
| 389 |
|
ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
|
| 390 |
|
ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
|
| 391 |
|
ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
|
| 392 |
|
ewarn "set 'Restart=no' in your sshd unit file."
|
| 393 |
|
fi
|
| 394 |
|
done
|
|
353 |
if ver_replacing -lt "5.8_p1"; then
|
|
354 |
elog "Starting with openssh-5.8p1, the server will default to a newer key"
|
|
355 |
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
|
|
356 |
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
|
|
357 |
fi
|
|
358 |
if ver_replacing -lt "7.0_p1"; then
|
|
359 |
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
|
|
360 |
elog "Make sure to update any configs that you might have. Note that xinetd might"
|
|
361 |
elog "be an alternative for you as it supports USE=tcpd."
|
|
362 |
fi
|
|
363 |
if ver_replacing -lt "7.1_p1"; then #557388 #555518
|
|
364 |
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
|
|
365 |
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
|
|
366 |
elog "adding to your sshd_config or ~/.ssh/config files:"
|
|
367 |
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
|
|
368 |
elog "You should however generate new keys using rsa or ed25519."
|
|
369 |
|
|
370 |
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
|
|
371 |
elog "to 'prohibit-password'. That means password auth for root users no longer works"
|
|
372 |
elog "out of the box. If you need this, please update your sshd_config explicitly."
|
|
373 |
fi
|
|
374 |
if ver_replacing -lt "7.6_p1"; then
|
|
375 |
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
|
|
376 |
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
|
|
377 |
fi
|
|
378 |
if ver_replacing -lt "7.7_p1"; then
|
|
379 |
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
|
|
380 |
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
|
|
381 |
elog "if you need to authenticate against LDAP."
|
|
382 |
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
|
|
383 |
fi
|
|
384 |
if ver_replacing -lt "8.2_p1"; then
|
|
385 |
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
|
|
386 |
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
|
|
387 |
ewarn "connection is generally safe."
|
|
388 |
fi
|
|
389 |
if ver_replacing -lt "9.2_p1-r1" && systemd_is_booted; then
|
|
390 |
ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
|
|
391 |
ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
|
|
392 |
ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
|
|
393 |
ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
|
|
394 |
ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
|
|
395 |
ewarn "set 'Restart=no' in your sshd unit file."
|
|
396 |
fi
|
| 395 |
397 |
|
| 396 |
398 |
if [[ -n ${show_ssl_warning} ]]; then
|
| 397 |
399 |
elog "Be aware that by disabling openssl support in openssh, the server and clients"
|
