Add net-misc/openssh-7.3_p1-r7

3 files changed, 387 insertions, 0 deletions

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index b49dedd8..cd11d4ca 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -19,6 +19,7 @@ AUX openssh-7.2_p1-x509-warnings.patch 712 SHA256 506b0770e33540f6f6f79a506f403c
 AUX openssh-7.3-mips-seccomp-n32.patch 581 SHA256 38e0c0619f5e9617eae27b8e7d073ddbdda638b71d946286eb041667fff9958e SHA512 909443d301c85694086f9eb5f256ad27095991f03f502e8f61902bbbb2677a0137d3d13bbe6169371d1505c0a883f95230a37a3d125c7117aa1a05c6b0b634b3 WHIRLPOOL af7fafbd351a0277c8b4e65e17d5e5abef0e3abd67995c888460e2a612cdf90ce878b34bb0d839fa27192921d3d9be24692e3fbe00ef0e2653d5ff0f59228f8f
 AUX openssh-7.3_p1-GSSAPI-dns.patch 11137 SHA256 081c1cee62b43aae1d84ee67e3b510f0775081c9901c971a6f60a35bb92046f1 SHA512 70db76a409d5a11513f57c67671131b95c83164af2ecafa423986def42a1a2a31c4653d06f510b8c440a974e03f0acad8cbe20d5a17cfb2ed4598a9b8ae60b91 WHIRLPOOL bd3f32d7b795d9d5948d1a2d38a3e9fc6380369378988da095e096a54bf8c41209bfa7955c04b68b3966a30ca10fd522778d76a0621d0858639f3e09f075b708
 AUX openssh-7.3_p1-NEWKEYS_null_deref.patch 857 SHA256 0d612c16c7b1b3b45fbe1c1507c4e80cfe001ab4fd7fbcfc80fb9cecc893d94a SHA512 2230ddd7473feaa22544eae5c1074981e5ade322a22016f245ec3a6b3bf260104909021497a728fbfaf5dbd6e81269b9b815a3a3de2bf8104f7b3d1bdacbcc06 WHIRLPOOL b927971ec7c07a8d350690280d9766f71ebeb03fc6ffefa2457801abf160ee331ec3bafca02acc3697899d9e2a56ce7b01e68b745cb6f5b491d8b30aea0b9366
+AUX openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch 573 SHA256 4858c775dd654c6ddc1617c6eb1649aa2f91d5aca8d2fc28e042dbb587db98de SHA512 aae178da8e46cd7df0671405968d490edb50e6a837d3e1b375f7e58e5396decb1530dd646d97eb995a45350cc4ad05a89e2e660e8ef862f6a57f6b6fbba84c5c WHIRLPOOL 6e320066050ba2f9a1a5a7b82ccf402af203c1f106991d37434e21f8a6ea17500a477114cdc6ac775336d4c0362888fabb084c5a464867a81d7404a6b6a348dc
 AUX openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch 424 SHA256 263cd9822638912afbf780a3514178669748217f98aba19928ffcdd1b206d4eb SHA512 5ddc28db2770269bc51851abd4d9c6c2890fa203604e944a3f9718dc5e711cdc28cfc0f4829cfc7733489dbb31605d84ae92d740406d02ce2e4e0d479825ec5f WHIRLPOOL 55e4c29816c0273be575f86dbf88862f907d00ccd69c773e8ad561997f8efc4e6f4ddc90f32c03646510389e646f81c2468d59ffd48701fba1c3f5612699eec2
 AUX openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch 7005 SHA256 44ae73966a98e0d7cf36f35b64472b62128040c86720a915b6e72ca269b72f13 SHA512 35cb90a5ebf85b31db902155a8d48a65d2734943cf46e2ac1fcbcb8a19e31d9bf6057ec3c0001a4cb14eac572e5d400087c3218c81df40146731472e406499d8 WHIRLPOOL ba47e8f157ecf448becef9f1c9dfb5bea9f6bd39b461c13cb265a7dc9fde31634a583db3849429ed27129e8c5e797eebe7141c310674126a9a0e2f232c92d8e1
 AUX openssh-7.3_p1-hpn-x509-9.2-glue.patch 1611 SHA256 7d04d19e62e688c9c12c25fd479933dd2c707f838ac810263dd1dc79a5ff55f1 SHA512 3604f0f1ea6c74b8418ac158df47910dfb2d54c7ce77f78f1a6c072acd20dc5751e24156acd9dda02aecaac250f43c8d968382f2f4b15b4706e4c4bde8ebde9a WHIRLPOOL b327a94c5b37da296caaa925bf13adf81ab3a53dffe691b33010b89b07366445613e553b4f486bacab658e2dcec143971001b4158f493e9b7e5bd427f0e072fb
@@ -62,3 +63,4 @@ EBUILD openssh-7.1_p2.ebuild 11234 SHA256 7b6988caa6bd87d1db71f4d05926e45b2adfee
 EBUILD openssh-7.2_p2-r1.ebuild 11491 SHA256 49043465fcdadd915ff3c508266d77fae9e71e23d44a2fa23b9e8780e5e21cda SHA512 c3692f44162618b7ca6d268e8f8c5ed6a3976a1897f149690dea41a491d75c10316d7f686d893795798b9eb3f5e55ac1d795067aba19e99482eaa803ff64a29a WHIRLPOOL 2de3d82fc8703f2651ff5e8ec47fe125c89df36e32ea1a4905edfdf6c0371c849a757b1dd34ef4ae7eb0cca637ac6382f652cbec6d77ae853041c5a4fed76a07
 EBUILD openssh-7.2_p2.ebuild 11375 SHA256 e12b05c4f68064e1aa7a156052ba793205d90f4760bb5769e6cf251ff2fedb7d SHA512 1b41950cb0e3323e0a3a6386249289b201c89fb3898a413f71737de393d4781cd9ae956304cc807f1c7ca5a4eb00d99c91a5d0d984bcb87cf218a0d93a035569 WHIRLPOOL d881cad5492c042539b78e9640ef4ca6de6ca20ab8877fec25ad81058a36929d60c3b8ee2828121a036855542983fee5c3b49153ea8dfcae9f1e0b5bef3d65f5
 EBUILD openssh-7.3_p1-r6.ebuild 12355 SHA256 65ab08aebd05352e2ca9f9fbc3a7f952a78959a12652565c7166ee1e1a290c83 SHA512 c6bbd94d4997c65f3a6f285e6e1f45e2d13500dd6687d27499b1d94c478726ca6e1d2f19f24c1caa7a64278bff8e9880956e12c867d6b6d0eac0fc36eab49077 WHIRLPOOL 8c2dc77cb5a51406ad78110d865ab28ef3293a3ec1944d205083d7ba4ec3ba884c4c2f00fa92f7ca104c89f64b459bc81b8f385b2a441333493a373354d637bb
+EBUILD openssh-7.3_p1-r7.ebuild 12451 SHA256 a8f8784173f690e788eaf4d795560f6a0f4ab70413cdffd9153b5215175ae5df SHA512 0233979d37da76d38e3ddba4cb280007ed76f979f5dc19c2f08944c19df9ffb33e1a6adbb675f01b102bd8c002fa69979da5fc4f45df82b8f47693a09601bf01 WHIRLPOOL 2adea13565fef0ed7fd7df8597272595c90c933a4ea49ddefcc2b95e8d75eed744fe28e5268dbbe1241cac34c8ff669955ad72136c812cede466ba601852b5aa
diff --git a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
new file mode 100644
index 00000000..f7b41dc4
--- /dev/null
+++ b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch
@@ -0,0 +1,18 @@
+diff --git a/kex.c b/kex.c
+index 50c7a0f..d09c27b 100644
+--- a/kex.c
++++ b/kex.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: kex.c,v 1.118 2016/05/02 10:26:04 djm Exp $ */
++/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */
+ /*
+  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
+  *
+@@ -472,6 +472,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
+ 	if (kex == NULL)
+ 		return SSH_ERR_INVALID_ARGUMENT;
+ 
++	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ 	ptr = sshpkt_ptr(ssh, &dlen);
+ 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ 		return r;
diff --git a/net-misc/openssh/openssh-7.3_p1-r7.ebuild b/net-misc/openssh/openssh-7.3_p1-r7.ebuild
new file mode 100644
index 00000000..b307c5bc
--- /dev/null
+++ b/net-misc/openssh/openssh-7.3_p1-r7.ebuild
@@ -0,0 +1,367 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id: ad0950fa06f0fc131589175568e3a8d19b38426a $
+
+EAPI="5"
+
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+HPN_PV="${PV}"
+HPN_VER="14.10"
+
+HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch"
+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
+X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
+	${HPN_PATCH:+hpn? (
+		mirror://gentoo/${HPN_PATCH}.xz
+		http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz
+	)}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos ldap ldns libedit libressl -libseccomp livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509 abi_x86_x32"
+REQUIRED_USE="ldns? ( ssl )
+	pie? ( !static )
+	ssh1? ( ssl )
+	static? ( !kerberos !pam )
+	X509? ( !ldap ssl )
+	test? ( ssl )"
+
+LIB_DEPEND="
+	ldns? (
+		net-libs/ldns[static-libs(+)]
+		!bindist? ( net-libs/ldns[ecdsa,ssl] )
+		bindist? ( net-libs/ldns[-ecdsa,ssl] )
+	)
+	libedit? ( dev-libs/libedit[static-libs(+)] )
+	libseccomp? ( sys-libs/libseccomp )
+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	ssl? (
+		!libressl? (
+			>=dev-libs/openssl-0.9.8f:0[bindist=]
+			dev-libs/openssl:0[static-libs(+)]
+		)
+		libressl? ( dev-libs/libressl[static-libs(+)] )
+	)
+	>=sys-libs/zlib-1.2.3[static-libs(+)]"
+RDEPEND="
+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "This version of OpenSSH does not yet have all previous functionality enabled"
+	fi
+
+	# Make sure people who are using tcp wrappers are notified of its removal. #531156
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	if use X509 ; then
+		pushd .. >/dev/null
+		if use hpn ; then
+			pushd "${WORKDIR}" >/dev/null
+			epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch
+			popd >/dev/null
+		fi
+		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
+		sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch
+		save_version X509
+	else
+		# bug #592122, fixed by X509 patch
+		epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch
+	fi
+	if use ldap ; then
+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+		save_version LPK
+	fi
+
+	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+	epatch "${WORKDIR}"/${SCTP_PATCH%.*}
+
+	if use hpn ; then
+		#EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
+		#	EPATCH_MULTI_MSG="Applying HPN patchset ..." \
+		#	epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
+		epatch "${WORKDIR}"/${HPN_PATCH}
+		epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch
+		save_version HPN
+	fi
+
+	tc-export PKG_CONFIG
+	local sed_args=(
+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+		# Disable PATH reset, trust what portage gives us #254615
+		-e 's:^PATH=/:#PATH=/:'
+		# Disable fortify flags ... our gcc does this for us
+		-e 's:-D_FORTIFY_SOURCE=2::'
+	)
+	# The -ftrapv flag ICEs on hppa #505182
+	use hppa && sed_args+=(
+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+	)
+	sed -i "${sed_args[@]}" configure{.ac,} || die
+
+	# 7.3 added seccomp support to MIPS, but failed to handled the N32
+	# case.  This patch is temporary until upstream fixes.  See
+	# Gentoo bug #591392 or upstream #2590.
+	[[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \
+		&& epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
+
+	epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342
+	epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch # 597360
+
+	if use libseccomp; then
+		epatch "${FILESDIR}"/${PN}-7.3_p1-libseccomp.patch
+	fi
+
+	epatch_user #473004
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+	) > version.h
+
+	eautoreconf
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+
+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+	use static && append-ldflags -static
+
+	local myconf=(
+		--with-ldflags="${LDFLAGS}"
+		--disable-strip
+		--with-pid-dir="${EPREFIX}"/var/run
+		--sysconfdir="${EPREFIX}"/etc/ssh
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+		--datadir="${EPREFIX}"/usr/share/openssh
+		--with-privsep-path="${EPREFIX}"/var/empty
+		--with-privsep-user=sshd
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+		# We apply the ldap patch conditionally, so can't pass --without-ldap
+		# unconditionally else we get unknown flag warnings.
+		$(use ldap && use_with ldap)
+		$(use_with ldns)
+		$(use_with libedit)
+		$(use_with pam)
+		$(use_with pie)
+		$(use_with sctp)
+		$(use_with selinux)
+		$(use_with skey)
+		$(use_with ssh1)
+		$(use_with ssl openssl)
+		$(use_with ssl md5-passwords)
+		$(use_with ssl ssl-engine)
+		$(use_with libseccomp sandbox libseccomp_filter)
+	)
+
+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
+	if use abi_x86_x32 && ! use libseccomp; then
+		ewarn "The default 'seccomp' sandbox does not work correctly on x32, and so - without"
+		ewarn "experimental libseccomp support at least - it is required that this build"
+		ewarn "fallback to the basic 'rlimit' sandbox, where a child process is prevented from"
+		ewarn "forking or opening new network connections by having setrlimit() called to reset"
+		ewarn "its hard-limit of file descriptors and processes to zero.  As such, this is a"
+		ewarn "very basic fallback choice where no better alternative is available."
+		myconf+=( --with-sandbox=rlimit )
+	fi
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	# Allow root password logins for live-cds
+	if use livecd ; then
+		sed -i \
+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
+			"${ED}"/etc/ssh/sshd_config || die
+	fi
+
+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc CREDITS OVERVIEW README* TODO sshd_config
+	use X509 || dodoc ChangeLog
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(egetshell ${UID})
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	# It will also attempt to write to the homedir .ssh
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
+		elog "Be aware that by disabling openssl support in openssh, the server and clients"
+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
+		elog "and update all clients/servers that utilize them."
+	fi
+}