Diff openssh-7.5_p1-r4 with a openssh-7.7_p1-r9

/usr/portage/net-misc/openssh/openssh-7.7_p1-r9.ebuild 2020-02-14 01:10:00.000000000 +0300
1 1
# Copyright 1999-2020 Gentoo Authors
2 2
# Distributed under the terms of the GNU General Public License v2
3 3

  
4
EAPI="5"
4
EAPI="6"
5 5

  
6
inherit eutils user flag-o-matic multilib autotools pam systemd toolchain-funcs
6
inherit user flag-o-matic multilib autotools pam systemd toolchain-funcs
7 7

  
8 8
# Make it more portable between straight releases
9 9
# and _p? releases.
10 10
PARCH=${P/_}
11 11

  
12
HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
13
SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
14
LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"
15
X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
12
HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
13
SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
14
X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
15

  
16
PATCH_SET="openssh-7.7p1-patches-1.2"
16 17

  
17 18
DESCRIPTION="Port of OpenBSD's free SSH release"
18
HOMEPAGE="http://www.openssh.org/"
19
HOMEPAGE="https://www.openssh.com/"
19 20
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
20
	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
21
	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
22
	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
23
	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
21
	https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
22
	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
23
	${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
24
	${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
24 25
	"
25 26

  
26 27
LICENSE="BSD GPL-2"
27 28
SLOT="0"
28 29
KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
29 30
# Probably want to drop ssl defaulting to on in a future version.
30
IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
31
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
31 32
RESTRICT="!test? ( test )"
32 33
REQUIRED_USE="ldns? ( ssl )
33 34
	pie? ( !static )
34
	ssh1? ( ssl )
35 35
	static? ( !kerberos !pam )
36
	X509? ( !ldap !sctp ssl )
36
	X509? ( !sctp ssl )
37 37
	test? ( ssl )"
38 38

  
39 39
LIB_DEPEND="
......
58 58
RDEPEND="
59 59
	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
60 60
	pam? ( sys-libs/pam )
61
	kerberos? ( virtual/krb5 )
62
	ldap? ( net-nds/openldap )"
61
	kerberos? ( virtual/krb5 )"
63 62
DEPEND="${RDEPEND}
64 63
	static? ( ${LIB_DEPEND} )
65 64
	virtual/pkgconfig
......
70 69
	userland_GNU? ( virtual/shadow )
71 70
	X? ( x11-apps/xauth )"
72 71

  
73
S=${WORKDIR}/${PARCH}
72
S="${WORKDIR}/${PARCH}"
74 73

  
75 74
pkg_pretend() {
76 75
	# this sucks, but i'd rather have people unable to `emerge -u openssh`
77 76
	# than not be able to log in to their server any more
78 77
	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
79 78
	local fail="
80
		$(use X509 && maybe_fail X509 X509_PATCH)
81
		$(use ldap && maybe_fail ldap LDAP_PATCH)
82 79
		$(use hpn && maybe_fail hpn HPN_PATCH)
80
		$(use sctp && maybe_fail sctp SCTP_PATCH)
81
		$(use X509 && maybe_fail X509 X509_PATCH)
83 82
	"
84 83
	fail=$(echo ${fail})
85 84
	if [[ -n ${fail} ]] ; then
......
91 90
	fi
92 91

  
93 92
	# Make sure people who are using tcp wrappers are notified of its removal. #531156
94
	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
93
	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
95 94
		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
96 95
		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
97 96
	fi
98 97
}
99 98

  
100
save_version() {
101
	# version.h patch conflict avoidence
102
	mv version.h version.h.$1
103
	cp -f version.h.pristine version.h
104
}
105

  
106 99
src_prepare() {
107 100
	sed -i \
108 101
		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
109 102
		pathnames.h || die
110
	# keep this as we need it to avoid the conflict between LPK and HPN changing
111
	# this file.
112
	cp version.h version.h.pristine
113 103

  
114 104
	# don't break .ssh/authorized_keys2 for fun
115 105
	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
116 106

  
107
	eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
108
	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
109
	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
110

  
111
	local PATCHSET_VERSION_MACROS=()
112

  
117 113
	if use X509 ; then
118
		if use hpn ; then
119
			pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null
120
			epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
121
			popd >/dev/null
122
		fi
123
		save_version X509
124
		epatch "${WORKDIR}"/${X509_PATCH%.*}
114
		eapply "${WORKDIR}"/${X509_PATCH%.*}
115

  
116
		# We need to patch package version or any X.509 sshd will reject our ssh client
117
		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
118
		# error
119
		einfo "Patching package version for X.509 patch set ..."
120
		sed -i \
121
			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
122
			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
123

  
124
		einfo "Patching version.h to expose X.509 patch set ..."
125
		sed -i \
126
			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
127
			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
128
		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
129

  
130
		einfo "Disabling broken X.509 agent test ..."
131
		sed -i \
132
			-e "/^ agent$/d" \
133
			"${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
134

  
135
		# The following patches don't apply on top of X509 patch
136
		rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
137
		rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
138
		rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
139
		rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
140
	else
141
		rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
142
		rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
125 143
	fi
126 144

  
127
	if use ldap ; then
128
		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
129
		save_version LPK
130
	fi
131

  
132
	epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
133
	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
134
	epatch "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
135
	epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
136
	epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch
137
	use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-s390-seccomp.patch # already included in X509 patch set, #644252
138
	use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
139
	use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
140
	use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
145
	if use sctp ; then
146
		eapply "${WORKDIR}"/${SCTP_PATCH%.*}
147

  
148
		einfo "Patching version.h to expose SCTP patch set ..."
149
		sed -i \
150
			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \
151
			"${S}"/version.h || die "Failed to sed-in SCTP patch version"
152
		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
153

  
154
		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
155
		sed -i \
156
			-e "/\t\tcfgparse \\\/d" \
157
			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
158
	fi
141 159

  
142 160
	if use hpn ; then
143
		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
144
			EPATCH_MULTI_MSG="Applying HPN patchset ..." \
145
			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
146
		save_version HPN
161
		eapply "${WORKDIR}"/${HPN_PATCH%.*}
162

  
163
		einfo "Patching Makefile.in for HPN patch set ..."
164
		sed -i \
165
			-e "/^LIBS=/ s/\$/ -lpthread/" \
166
			"${S}"/Makefile.in || die "Failed to patch Makefile.in"
167

  
168
		einfo "Patching version.h to expose HPN patch set ..."
169
		sed -i \
170
			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER}\"" \
171
			"${S}"/version.h || die "Failed to sed-in HPN patch version"
172
		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
173

  
174
		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
175
			einfo "Disabling known non-working MT AES cipher per default ..."
176

  
177
			cat > "${T}"/disable_mtaes.conf <<- EOF
178

  
179
			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
180
			# and therefore disabled per default.
181
			DisableMTAES yes
182
			EOF
183
			sed -i \
184
				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
185
				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
186

  
187
			sed -i \
188
				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
189
				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
190
		fi
191
	fi
192

  
193
	if use X509 || use hpn ; then
194
		einfo "Patching packet.c for X509 and/or HPN patch set ..."
195
		sed -i \
196
			-e "s/const struct sshcipher/struct sshcipher/" \
197
			"${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
147 198
	fi
148 199

  
200
	if use X509 || use sctp || use hpn ; then
201
		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
202
		sed -i \
203
			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
204
			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
205

  
206
		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
207
		sed -i \
208
			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
209
			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
210

  
211
		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
212
		sed -i \
213
			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
214
			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
215
	fi
216

  
217
	sed -i \
218
		-e "/#UseLogin no/d" \
219
		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
220

  
221
	eapply "${WORKDIR}"/patch/*.patch
222

  
223
	eapply_user #473004
224

  
149 225
	tc-export PKG_CONFIG
150 226
	local sed_args=(
151 227
		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
......
154 230
		# Disable fortify flags ... our gcc does this for us
155 231
		-e 's:-D_FORTIFY_SOURCE=2::'
156 232
	)
233

  
157 234
	# The -ftrapv flag ICEs on hppa #505182
158 235
	use hppa && sed_args+=(
159 236
		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
......
165 242
	)
166 243
	sed -i "${sed_args[@]}" configure{.ac,} || die
167 244

  
168
	epatch_user #473004
169

  
170
	# Now we can build a sane merged version.h
171
	(
172
		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
173
		macros=()
174
		for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
175
		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
176
	) > version.h
177

  
178 245
	eautoreconf
179 246
}
180 247

  
......
195 262
		--with-privsep-user=sshd
196 263
		$(use_with audit audit linux)
197 264
		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
198
		# We apply the ldap patch conditionally, so can't pass --without-ldap
265
		# We apply the sctp patch conditionally, so can't pass --without-sctp
199 266
		# unconditionally else we get unknown flag warnings.
200
		$(use ldap && use_with ldap)
267
		$(use sctp && use_with sctp)
201 268
		$(use_with ldns)
202 269
		$(use_with libedit)
203 270
		$(use_with pam)
204 271
		$(use_with pie)
205
		$(use X509 || use_with sctp)
206 272
		$(use_with selinux)
207 273
		$(use_with skey)
208
		$(use_with ssh1)
209 274
		$(use_with ssl openssl)
210 275
		$(use_with ssl md5-passwords)
211 276
		$(use_with ssl ssl-engine)
277
		$(use_with !elibc_Cygwin hardening) #659210
212 278
	)
213 279

  
280
	# stackprotect is broken on musl x86
281
	use elibc_musl && use x86 && myconf+=( --without-stackprotect )
282

  
214 283
	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
215 284
	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
216 285

  
217 286
	econf "${myconf[@]}"
218 287
}
219 288

  
220
src_install() {
221
	emake install-nokeys DESTDIR="${D}"
222
	fperms 600 /etc/ssh/sshd_config
223
	dobin contrib/ssh-copy-id
224
	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
225
	newconfd "${FILESDIR}"/sshd.confd sshd
226

  
227
	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
228
	if use pam ; then
229
		sed -i \
230
			-e "/^#UsePAM /s:.*:UsePAM yes:" \
231
			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
232
			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
233
			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
234
			"${ED}"/etc/ssh/sshd_config || die
235
	fi
236

  
237
	# Gentoo tweaks to default config files
238
	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
239

  
240
	# Allow client to pass locale environment variables #367017
241
	AcceptEnv LANG LC_*
242
	EOF
243
	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
244

  
245
	# Send locale environment variables #367017
246
	SendEnv LANG LC_*
247
	EOF
248

  
249
	if use livecd ; then
250
		sed -i \
251
			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
252
			"${ED}"/etc/ssh/sshd_config || die
253
	fi
254

  
255
	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
256
		insinto /etc/openldap/schema/
257
		newins openssh-lpk_openldap.schema openssh-lpk.schema
258
	fi
259

  
260
	doman contrib/ssh-copy-id.1
261
	dodoc CREDITS OVERVIEW README* TODO sshd_config
262
	use X509 || dodoc ChangeLog
263

  
264
	diropts -m 0700
265
	dodir /etc/skel/.ssh
266

  
267
	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
268
	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
269
}
270

  
271 289
src_test() {
272 290
	local t skipped=() failed=() passed=()
273 291
	local tests=( interop-tests compat-tests )
......
297 315
	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"
298 316
}
299 317

  
318
# Gentoo tweaks to default config files.
319
tweak_ssh_configs() {
320
	local locale_vars=(
321
		# These are language variables that POSIX defines.
322
		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
323
		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
324

  
325
		# These are the GNU extensions.
326
		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
327
		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
328
	)
329

  
330
	# First the server config.
331
	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
332

  
333
	# Allow client to pass locale environment variables. #367017
334
	AcceptEnv ${locale_vars[*]}
335

  
336
	# Allow client to pass COLORTERM to match TERM. #658540
337
	AcceptEnv COLORTERM
338
	EOF
339

  
340
	# Then the client config.
341
	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
342

  
343
	# Send locale environment variables. #367017
344
	SendEnv ${locale_vars[*]}
345

  
346
	# Send COLORTERM to match TERM. #658540
347
	SendEnv COLORTERM
348
	EOF
349

  
350
	if use pam ; then
351
		sed -i \
352
			-e "/^#UsePAM /s:.*:UsePAM yes:" \
353
			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
354
			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
355
			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
356
			"${ED%/}"/etc/ssh/sshd_config || die
357
	fi
358

  
359
	if use livecd ; then
360
		sed -i \
361
			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
362
			"${ED%/}"/etc/ssh/sshd_config || die
363
	fi
364
}
365

  
366
src_install() {
367
	emake install-nokeys DESTDIR="${D}"
368
	fperms 600 /etc/ssh/sshd_config
369
	dobin contrib/ssh-copy-id
370
	newinitd "${FILESDIR}"/sshd.initd sshd
371
	newconfd "${FILESDIR}"/sshd-r1.confd sshd
372

  
373
	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
374

  
375
	tweak_ssh_configs
376

  
377
	doman contrib/ssh-copy-id.1
378
	dodoc CREDITS OVERVIEW README* TODO sshd_config
379
	use hpn && dodoc HPN-README
380
	use X509 || dodoc ChangeLog
381

  
382
	diropts -m 0700
383
	dodir /etc/skel/.ssh
384

  
385
	keepdir /var/empty
386

  
387
	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
388
	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
389
}
390

  
300 391
pkg_preinst() {
301 392
	enewgroup sshd 22
302 393
	enewuser sshd 22 -1 /var/empty sshd
......
308 399
		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
309 400
		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
310 401
	fi
311
	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
312
		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
313
	fi
314 402
	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
315 403
		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
316 404
		elog "Make sure to update any configs that you might have.  Note that xinetd might"
......
327 415
		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
328 416
		elog "out of the box.  If you need this, please update your sshd_config explicitly."
329 417
	fi
418
	if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
419
		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
420
		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
421
	fi
422
	if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
423
		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
424
		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
425
		elog "if you need to authenticate against LDAP."
426
		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
427
	fi
330 428
	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
331 429
		elog "Be aware that by disabling openssl support in openssh, the server and clients"
332 430
		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
333 431
		elog "and update all clients/servers that utilize them."
334 432
	fi
433

  
434
	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
435
		elog ""
436
		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
437
		elog "and therefore disabled at runtime per default."
438
		elog "Make sure your sshd_config is up to date and contains"
439
		elog ""
440
		elog "  DisableMTAES yes"
441
		elog ""
442
		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
443
		elog ""
444
	fi
335 445
}
Thank you!