net-misc/openssh/openssh-6.1_p1.ebuild

# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.1_p1.ebuild,v 1.2 2012/09/25 12:29:34 ulm Exp $

EAPI="2"
inherit eutils user flag-o-matic multilib autotools pam systemd

# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}

HPN_PATCH="${PARCH}-hpn13v11.diff.bz2"
LDAP_PATCH="${PARCH/-/-lpk-}-0.3.14.patch.gz"
X509_VER="7.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"

DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="http://www.openssh.org/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
        ${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} mirror://gentoo/${HPN_PATCH} )}
        ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
        ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
        "

LICENSE="BSD"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
IUSE="${HPN_PATCH:++}hpn kerberos ldap libedit pam selinux skey static tcpd X X509"

RDEPEND="pam? ( virtual/pam )
        kerberos? ( virtual/krb5 )
        selinux? ( >=sys-libs/libselinux-1.28 )
        skey? ( >=sys-auth/skey-1.1.5-r1 )
        ldap? ( net-nds/openldap )
        libedit? ( dev-libs/libedit )
        >=dev-libs/openssl-0.9.6d
        >=sys-libs/zlib-1.2.3
        tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
        X? ( x11-apps/xauth )
        userland_GNU? ( virtual/shadow )"
DEPEND="${RDEPEND}
        virtual/pkgconfig
        virtual/os-headers
        sys-devel/autoconf"
RDEPEND="${RDEPEND}
        pam? ( >=sys-auth/pambase-20081028 )"

S=${WORKDIR}/${PARCH}

pkg_setup() {
        # this sucks, but i'd rather have people unable to `emerge -u openssh`
        # than not be able to log in to their server any more
        maybe_fail() { [[ -z ${!2} ]] && echo ${1} ; }
        local fail="
                $(use X509 && maybe_fail X509 X509_PATCH)
                $(use ldap && maybe_fail ldap LDAP_PATCH)
                $(use hpn && maybe_fail hpn HPN_PATCH)
        "
        fail=$(echo ${fail})
        if [[ -n ${fail} ]] ; then
                eerror "Sorry, but this version does not yet support features"
                eerror "that you requested:      ${fail}"
                eerror "Please mask ${PF} for now and check back later:"
                eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
                die "booooo"
        fi
}

save_version() {
        # version.h patch conflict avoidence
        mv version.h version.h.$1
        cp -f version.h.pristine version.h
}

src_prepare() {
        sed -i \
                -e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
                pathnames.h || die
        # keep this as we need it to avoid the conflict between LPK and HPN changing
        # this file.
        cp version.h version.h.pristine

        # don't break .ssh/authorized_keys2 for fun
        sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

        epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
        if use X509 ; then
                pushd .. >/dev/null
                epatch "${FILESDIR}"/${PN}-6.1_p1-x509-glue.patch
                popd >/dev/null
                epatch "${WORKDIR}"/${X509_PATCH%.*}
                epatch "${FILESDIR}"/${PN}-6.1_p1-x509-hpn-glue.patch
                save_version X509
        fi
        if ! use X509 ; then
                if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
                        epatch "${WORKDIR}"/${LDAP_PATCH%.*}
                        save_version LPK
                fi
        else
                use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
        fi
        epatch "${FILESDIR}"/${PN}-6.0_p1-fix-freebsd-compilation.patch #391011
        epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
        if [[ -n ${HPN_PATCH} ]] && use hpn; then
                epatch "${WORKDIR}"/${HPN_PATCH%.*}
                epatch "${FILESDIR}"/${PN}-5.6_p1-hpn-progressmeter.patch
                save_version HPN
                # The AES-CTR multithreaded variant is broken, and causes random hangs
                # when combined background threading and control sockets. To avoid
                # this, we change the internal table to use the non-multithread version
                # for the meantime. Do NOT remove this in new versions. See bug #354113
                # comment #6 for testcase.
                # Upstream reference: http://www.psc.edu/networking/projects/hpn-ssh/
                ## Additionally, the MT-AES-CTR mode cipher replaces the default ST-AES-CTR mode
                ## cipher. Be aware that if the client process is forked using the -f command line
                ## option the process will hang as the parent thread gets 'divorced' from the key
                ## generation threads. This issue will be resolved as soon as possible
                sed -i \
                        -e '/aes...-ctr.*SSH_CIPHER_SSH2/s,evp_aes_ctr_mt,evp_aes_128_ctr,' \
                        cipher.c || die
        fi

        sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die

        # Disable PATH reset, trust what portage gives us. bug 254615
        sed -i -e 's:^PATH=/:#PATH=/:' configure || die

        # Now we can build a sane merged version.h
        (
                sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
                macros=()
                for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
                printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
        ) > version.h

        eautoreconf
}

static_use_with() {
        local flag=$1
        if use static && use ${flag} ; then
                ewarn "Disabling '${flag}' support because of USE='static'"
                # rebuild args so that we invert the first one (USE flag)
                # but otherwise leave everything else working so we can
                # just leverage use_with
                shift
                [[ -z $1 ]] && flag="${flag} ${flag}"
                set -- !${flag} "$@"
        fi
        use_with "$@"
}

src_configure() {
        addwrite /dev/ptmx
        addpredict /etc/skey/skeykeys #skey configure code triggers this

        use static && append-ldflags -static

        econf \
                --with-ldflags="${LDFLAGS}" \
                --disable-strip \
                --with-pid-dir=/var/run \
                --sysconfdir=/etc/ssh \
                --libexecdir=/usr/$(get_libdir)/misc \
                --datadir=/usr/share/openssh \
                --with-privsep-path=/var/empty \
                --with-privsep-user=sshd \
                --with-md5-passwords \
                --with-ssl-engine \
                $(static_use_with pam) \
                $(static_use_with kerberos kerberos5 /usr) \
                ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
                $(use_with libedit) \
                $(use_with selinux) \
                $(use_with skey) \
                $(use_with tcpd tcp-wrappers)
}

src_install() {
        emake install-nokeys DESTDIR="${D}" || die
        fperms 600 /etc/ssh/sshd_config
        dobin contrib/ssh-copy-id || die
        newinitd "${FILESDIR}"/sshd.rc6.3 sshd
        newconfd "${FILESDIR}"/sshd.confd sshd
        keepdir /var/empty

        # not all openssl installs support ecc, or are functional #352645
        if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
                elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
                dosed 's:&& gen_key ecdsa::' /etc/init.d/sshd || die
        fi

        newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
        if use pam ; then
                sed -i \
                        -e "/^#UsePAM /s:.*:UsePAM yes:" \
                        -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
                        -e "/^#PrintMotd /s:.*:PrintMotd no:" \
                        -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
                        "${D}"/etc/ssh/sshd_config || die "sed of configuration file failed"
        fi

        # Gentoo tweaks to default config files
        cat <<-EOF >> "${D}"/etc/ssh/sshd_config

        # Allow client to pass locale environment variables #367017
        AcceptEnv LANG LC_*
        EOF
        cat <<-EOF >> "${D}"/etc/ssh/ssh_config

        # Send locale environment variables #367017
        SendEnv LANG LC_*
        EOF

        # This instruction is from the HPN webpage,
        # Used for the server logging functionality
        if [[ -n ${HPN_PATCH} ]] && use hpn ; then
                keepdir /var/empty/dev
        fi

        if use ldap ; then
                insinto /etc/openldap/schema/
                newins openssh-lpk_openldap.schema openssh-lpk.schema
        fi

        doman contrib/ssh-copy-id.1
        dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config

        diropts -m 0700
        dodir /etc/skel/.ssh

        systemd_dounit "${FILESDIR}"/sshd.{service,socket} || die
        systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' || die
}

src_test() {
        local t tests skipped failed passed shell
        tests="interop-tests compat-tests"
        skipped=""
        shell=$(egetshell ${UID})
        if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
                elog "Running the full OpenSSH testsuite"
                elog "requires a usable shell for the 'portage'"
                elog "user, so we will run a subset only."
                skipped="${skipped} tests"
        else
                tests="${tests} tests"
        fi
        # It will also attempt to write to the homedir .ssh
        local sshhome=${T}/homedir
        mkdir -p "${sshhome}"/.ssh
        for t in ${tests} ; do
                # Some tests read from stdin ...
                HOMEDIR="${sshhome}" \
                emake -k -j1 ${t} </dev/null \
                        && passed="${passed}${t} " \
                        || failed="${failed}${t} "
        done
        einfo "Passed tests: ${passed}"
        ewarn "Skipped tests: ${skipped}"
        if [[ -n ${failed} ]] ; then
                ewarn "Failed tests: ${failed}"
                die "Some tests failed: ${failed}"
        else
                einfo "Failed tests: ${failed}"
                return 0
        fi
}

pkg_preinst() {
        enewgroup sshd 22
        enewuser sshd 22 -1 /var/empty sshd
}

pkg_postinst() {
        elog "Starting with openssh-5.8p1, the server will default to a newer key"
        elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
        elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
        echo
        ewarn "Remember to merge your config files in /etc/ssh/ and then"
        ewarn "reload sshd: '/etc/init.d/sshd reload'."
        if use pam ; then
                echo
                ewarn "Please be aware users need a valid shell in /etc/passwd"
                ewarn "in order to be allowed to login."
        fi
        # This instruction is from the HPN webpage,
        # Used for the server logging functionality
        if [[ -n ${HPN_PATCH} ]] && use hpn ; then
                echo
                einfo "For the HPN server logging patch, you must ensure that"
                einfo "your syslog application also listens at /var/empty/dev/log."
        fi
}
1	vapier	1.1	# Copyright 1999-2012 Gentoo Foundation
2			# Distributed under the terms of the GNU General Public License v2
3	vapier	1.3	# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.1_p1.ebuild,v 1.2 2012/09/25 12:29:34 ulm Exp $
4	vapier	1.1
5			EAPI="2"
6			inherit eutils user flag-o-matic multilib autotools pam systemd
7
8			# Make it more portable between straight releases
9			# and _p? releases.
10			PARCH=${P/_}
11
12			HPN_PATCH="${PARCH}-hpn13v11.diff.bz2"
13			LDAP_PATCH="${PARCH/-/-lpk-}-0.3.14.patch.gz"
14			X509_VER="7.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
15
16			DESCRIPTION="Port of OpenBSD's free SSH release"
17			HOMEPAGE="http://www.openssh.org/"
18			SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
19			${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} mirror://gentoo/${HPN_PATCH} )}
20			${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
21			${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
22			"
23
24	ulm	1.2	LICENSE="BSD"
25	vapier	1.1	SLOT="0"
26			KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
27			IUSE="${HPN_PATCH:++}hpn kerberos ldap libedit pam selinux skey static tcpd X X509"
28
29			RDEPEND="pam? ( virtual/pam )
30			kerberos? ( virtual/krb5 )
31			selinux? ( >=sys-libs/libselinux-1.28 )
32			skey? ( >=sys-auth/skey-1.1.5-r1 )
33			ldap? ( net-nds/openldap )
34			libedit? ( dev-libs/libedit )
35			>=dev-libs/openssl-0.9.6d
36			>=sys-libs/zlib-1.2.3
37			tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
38			X? ( x11-apps/xauth )
39			userland_GNU? ( virtual/shadow )"
40			DEPEND="${RDEPEND}
41			virtual/pkgconfig
42			virtual/os-headers
43			sys-devel/autoconf"
44			RDEPEND="${RDEPEND}
45			pam? ( >=sys-auth/pambase-20081028 )"
46
47			S=${WORKDIR}/${PARCH}
48
49			pkg_setup() {
50			# this sucks, but i'd rather have people unable to `emerge -u openssh`
51			# than not be able to log in to their server any more
52			maybe_fail() { [[ -z ${!2} ]] && echo ${1} ; }
53			local fail="
54			$(use X509 && maybe_fail X509 X509_PATCH)
55			$(use ldap && maybe_fail ldap LDAP_PATCH)
56			$(use hpn && maybe_fail hpn HPN_PATCH)
57			"
58			fail=$(echo ${fail})
59			if [[ -n ${fail} ]] ; then
60			eerror "Sorry, but this version does not yet support features"
61			eerror "that you requested: ${fail}"
62			eerror "Please mask ${PF} for now and check back later:"
63			eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
64			die "booooo"
65			fi
66			}
67
68			save_version() {
69			# version.h patch conflict avoidence
70			mv version.h version.h.$1
71			cp -f version.h.pristine version.h
72			}
73
74			src_prepare() {
75			sed -i \
76			-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
77			pathnames.h \|\| die
78			# keep this as we need it to avoid the conflict between LPK and HPN changing
79			# this file.
80			cp version.h version.h.pristine
81
82			# don't break .ssh/authorized_keys2 for fun
83			sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config \|\| die
84
85			epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
86			if use X509 ; then
87			pushd .. >/dev/null
88			epatch "${FILESDIR}"/${PN}-6.1_p1-x509-glue.patch
89			popd >/dev/null
90			epatch "${WORKDIR}"/${X509_PATCH%.*}
91			epatch "${FILESDIR}"/${PN}-6.1_p1-x509-hpn-glue.patch
92			save_version X509
93			fi
94			if ! use X509 ; then
95			if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
96			epatch "${WORKDIR}"/${LDAP_PATCH%.*}
97			save_version LPK
98			fi
99			else
100			use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
101			fi
102			epatch "${FILESDIR}"/${PN}-6.0_p1-fix-freebsd-compilation.patch #391011
103			epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
104			if [[ -n ${HPN_PATCH} ]] && use hpn; then
105			epatch "${WORKDIR}"/${HPN_PATCH%.*}
106			epatch "${FILESDIR}"/${PN}-5.6_p1-hpn-progressmeter.patch
107			save_version HPN
108			# The AES-CTR multithreaded variant is broken, and causes random hangs
109			# when combined background threading and control sockets. To avoid
110			# this, we change the internal table to use the non-multithread version
111			# for the meantime. Do NOT remove this in new versions. See bug #354113
112			# comment #6 for testcase.
113			# Upstream reference: http://www.psc.edu/networking/projects/hpn-ssh/
114			## Additionally, the MT-AES-CTR mode cipher replaces the default ST-AES-CTR mode
115			## cipher. Be aware that if the client process is forked using the -f command line
116			## option the process will hang as the parent thread gets 'divorced' from the key
117			## generation threads. This issue will be resolved as soon as possible
118			sed -i \
119			-e '/aes...-ctr.*SSH_CIPHER_SSH2/s,evp_aes_ctr_mt,evp_aes_128_ctr,' \
120			cipher.c \|\| die
121			fi
122
123			sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} \|\| die
124
125			# Disable PATH reset, trust what portage gives us. bug 254615
126			sed -i -e 's:^PATH=/:#PATH=/:' configure \|\| die
127
128			# Now we can build a sane merged version.h
129			(
130			sed '/^#define SSH_RELEASE/d' version.h.* \| sort -u
131			macros=()
132			for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
133			printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
134			) > version.h
135
136			eautoreconf
137			}
138
139			static_use_with() {
140			local flag=$1
141			if use static && use ${flag} ; then
142			ewarn "Disabling '${flag}' support because of USE='static'"
143			# rebuild args so that we invert the first one (USE flag)
144			# but otherwise leave everything else working so we can
145			# just leverage use_with
146			shift
147			[[ -z $1 ]] && flag="${flag} ${flag}"
148			set -- !${flag} "$@"
149			fi
150			use_with "$@"
151			}
152
153			src_configure() {
154			addwrite /dev/ptmx
155			addpredict /etc/skey/skeykeys #skey configure code triggers this
156
157			use static && append-ldflags -static
158
159			econf \
160			--with-ldflags="${LDFLAGS}" \
161			--disable-strip \
162	vapier	1.3	--with-pid-dir=/var/run \
163	vapier	1.1	--sysconfdir=/etc/ssh \
164			--libexecdir=/usr/$(get_libdir)/misc \
165			--datadir=/usr/share/openssh \
166			--with-privsep-path=/var/empty \
167			--with-privsep-user=sshd \
168			--with-md5-passwords \
169			--with-ssl-engine \
170			$(static_use_with pam) \
171			$(static_use_with kerberos kerberos5 /usr) \
172			${LDAP_PATCH:+$(use X509 \|\| ( use ldap && use_with ldap ))} \
173			$(use_with libedit) \
174			$(use_with selinux) \
175			$(use_with skey) \
176			$(use_with tcpd tcp-wrappers)
177			}
178
179			src_install() {
180			emake install-nokeys DESTDIR="${D}" \|\| die
181			fperms 600 /etc/ssh/sshd_config
182			dobin contrib/ssh-copy-id \|\| die
183			newinitd "${FILESDIR}"/sshd.rc6.3 sshd
184			newconfd "${FILESDIR}"/sshd.confd sshd
185			keepdir /var/empty
186
187			# not all openssl installs support ecc, or are functional #352645
188			if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
189			elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
190			dosed 's:&& gen_key ecdsa::' /etc/init.d/sshd \|\| die
191			fi
192
193			newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
194			if use pam ; then
195			sed -i \
196			-e "/^#UsePAM /s:.*:UsePAM yes:" \
197			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
198			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
199			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
200			"${D}"/etc/ssh/sshd_config \|\| die "sed of configuration file failed"
201			fi
202
203			# Gentoo tweaks to default config files
204			cat <<-EOF >> "${D}"/etc/ssh/sshd_config
205
206			# Allow client to pass locale environment variables #367017
207			AcceptEnv LANG LC_*
208			EOF
209			cat <<-EOF >> "${D}"/etc/ssh/ssh_config
210
211			# Send locale environment variables #367017
212			SendEnv LANG LC_*
213			EOF
214
215			# This instruction is from the HPN webpage,
216			# Used for the server logging functionality
217			if [[ -n ${HPN_PATCH} ]] && use hpn ; then
218			keepdir /var/empty/dev
219			fi
220
221			if use ldap ; then
222			insinto /etc/openldap/schema/
223			newins openssh-lpk_openldap.schema openssh-lpk.schema
224			fi
225
226			doman contrib/ssh-copy-id.1
227			dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
228
229			diropts -m 0700
230			dodir /etc/skel/.ssh
231
232			systemd_dounit "${FILESDIR}"/sshd.{service,socket} \|\| die
233			systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' \|\| die
234			}
235
236			src_test() {
237			local t tests skipped failed passed shell
238			tests="interop-tests compat-tests"
239			skipped=""
240			shell=$(egetshell ${UID})
241			if [[ ${shell} == /nologin ]] \|\| [[ ${shell} == /false ]] ; then
242			elog "Running the full OpenSSH testsuite"
243			elog "requires a usable shell for the 'portage'"
244			elog "user, so we will run a subset only."
245			skipped="${skipped} tests"
246			else
247			tests="${tests} tests"
248			fi
249			# It will also attempt to write to the homedir .ssh
250			local sshhome=${T}/homedir
251			mkdir -p "${sshhome}"/.ssh
252			for t in ${tests} ; do
253			# Some tests read from stdin ...
254			HOMEDIR="${sshhome}" \
255			emake -k -j1 ${t} </dev/null \
256			&& passed="${passed}${t} " \
257			\|\| failed="${failed}${t} "
258			done
259			einfo "Passed tests: ${passed}"
260			ewarn "Skipped tests: ${skipped}"
261			if [[ -n ${failed} ]] ; then
262			ewarn "Failed tests: ${failed}"
263			die "Some tests failed: ${failed}"
264			else
265			einfo "Failed tests: ${failed}"
266			return 0
267			fi
268			}
269
270			pkg_preinst() {
271			enewgroup sshd 22
272			enewuser sshd 22 -1 /var/empty sshd
273			}
274
275			pkg_postinst() {
276			elog "Starting with openssh-5.8p1, the server will default to a newer key"
277			elog "algorithm (ECDSA). You are encouraged to manually update your stored"
278			elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
279			echo
280			ewarn "Remember to merge your config files in /etc/ssh/ and then"
281			ewarn "reload sshd: '/etc/init.d/sshd reload'."
282			if use pam ; then
283			echo
284			ewarn "Please be aware users need a valid shell in /etc/passwd"
285			ewarn "in order to be allowed to login."
286			fi
287			# This instruction is from the HPN webpage,
288			# Used for the server logging functionality
289			if [[ -n ${HPN_PATCH} ]] && use hpn ; then
290			echo
291			einfo "For the HPN server logging patch, you must ensure that"
292			einfo "your syslog application also listens at /var/empty/dev/log."
293			fi
294			}