2 files changed, 47 insertions, 50 deletions
diff --git a/net-misc/openssh-contrib/Manifest b/net-misc/openssh-contrib/Manifest
index 14d37550a115..7c769882d664 100644
--- a/net-misc/openssh-contrib/Manifest
+++ b/net-misc/openssh-contrib/Manifest
@@ -20,5 +20,5 @@ DIST openssh-9.7_p1-hpn-15.2-X509-15.0-glue.patch.xz 5472 BLAKE2B 6ebbc663aaaa54
 DIST openssh-9.7p1+x509-15.0.diff.gz 1239003 BLAKE2B 98f6a6d531a9afb70d6f34dcd6609115e017d4b1738a0683dbabf66aba02382cf727db4fb07fd2a62534aa87318982e9d1c41991fdbf7cc3e6593d376ad08208 SHA512 c141bddd73fb78a8f0c92bbed6900bab6617768fc124c10ec4ea70491e1b545bbd962fa35ee5efd134a9851a1b807a5b8bae8e46585cf87a60e0311b49de3226
 DIST openssh-9.7p1.tar.gz 1848766 BLAKE2B 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b SHA512 0cafc17d22851605a4a5495a1d82c2b3fbbe6643760aad226dbf2a25b5f49d4375c3172833706ea3cb6c05d5d02a40feb9a7e790eae5c4570dd344a43e94ca55
 DIST openssh-9.7p1.tar.gz.asc 833 BLAKE2B a95e952be48bd55a07d0a95a49dc06c326816c67b8b5d40bd3f64c28aa43122253817b8a088e7a3b8a190375ea39f9fc3400b22d035561f9643c1d32b5caef27 SHA512 e028978e4266de9ad513626b13d70249e4166923fc15f38751178e2b3522ff6ebb9a7ca7dc32d1bb42d42fb92adf9903dba1b734bec083010ed7323aadad8baf
-EBUILD openssh-contrib-9.7_p1-r4.ebuild 18723 BLAKE2B 1eee2c7f965159897b21794438854a11388bbd5f1a3b302feb755f8deb20419774199761f6c4a455cec8f2dd8816ebb06c8965b11ffd2c28adb30d6e1c96e0e6 SHA512 0f78bbfed8afd9ec9b5ffb167bf699b85754204ad21627797561fa6fa3fe196684ed1b0d3b6b125c8f9e679edfda99917285765cdf3f1af24f4a5be19cccb4bb
+EBUILD openssh-contrib-9.7_p1-r4.ebuild 18571 BLAKE2B 44c6acdc67eda0204faf2c55acbe3b27d9955ac94776e230d094c48a05da88165ab86d2bdffd56c6b7204a8d7cb0515960c805ef5b4e8b7987880ac29a8c267a SHA512 3768bb80c819ab2b9451ac798bf067fe7e94c954c88d7c1eb0c7a05462800602c7ed63002506852e608758282b7026a6f3baf45e96167c053e98aa64207e6802
 MISC metadata.xml 2975 BLAKE2B 068d52ba2e5de0b696e7fe995e4c2a041206a59258f24704ca3a72fe1d85323c2aad7899f055b48a4045d6303491822c59f2b86b85fc428a26f8259ea583796a SHA512 83fef701188c00af53382b5099fc2ebf83c903c3edefc3d2cf6deb0a667c0d0d9531c18728eef9b5b703903d31fbdb55a68e5b76890ea090bc1d79fef3ae6b89
diff --git a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild b/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild
index 6686d35c898f..858a106a682e 100644
--- a/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild
+++ b/net-misc/openssh-contrib/openssh-contrib-9.7_p1-r4.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
 
-inherit user-info optfeature flag-o-matic autotools pam systemd toolchain-funcs verify-sig
+inherit user-info optfeature flag-o-matic autotools pam systemd toolchain-funcs verify-sig eapi9-ver
 
 # Make it more portable between straight releases
 # and _p? releases.
@@ -465,53 +465,50 @@ pkg_postinst() {
 	# bug #139235
 	optfeature "x11 forwarding" x11-apps/xauth
 
-	local old_ver
-	for old_ver in ${REPLACING_VERSIONS}; do
-		if ver_test "${old_ver}" -lt "5.8_p1"; then
-			elog "Starting with openssh-5.8p1, the server will default to a newer key"
-			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
-			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
-		fi
-		if ver_test "${old_ver}" -lt "7.0_p1"; then
-			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
-			elog "Make sure to update any configs that you might have.  Note that xinetd might"
-			elog "be an alternative for you as it supports USE=tcpd."
-		fi
-		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
-			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
-			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
-			elog "adding to your sshd_config or ~/.ssh/config files:"
-			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
-			elog "You should however generate new keys using rsa or ed25519."
-
-			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
-			elog "to 'prohibit-password'.  That means password auth for root users no longer works"
-			elog "out of the box.  If you need this, please update your sshd_config explicitly."
-		fi
-		if ver_test "${old_ver}" -lt "7.6_p1"; then
-			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
-			elog "Furthermore, rsa keys with less than 1024 bits will be refused."
-		fi
-		if ver_test "${old_ver}" -lt "7.7_p1"; then
-			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
-			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
-			elog "if you need to authenticate against LDAP."
-			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
-		fi
-		if ver_test "${old_ver}" -lt "8.2_p1"; then
-			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
-			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
-			ewarn "connection is generally safe."
-		fi
-		if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
-			ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
-			ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
-			ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
-			ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
-			ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
-			ewarn "set 'Restart=no' in your sshd unit file."
-		fi
-	done
+	if ver_replacing -lt "5.8_p1"; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	if ver_replacing -lt "7.0_p1"; then
+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+		elog "Make sure to update any configs that you might have.  Note that xinetd might"
+		elog "be an alternative for you as it supports USE=tcpd."
+	fi
+	if ver_replacing -lt "7.1_p1"; then #557388 #555518
+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"
+		elog "adding to your sshd_config or ~/.ssh/config files:"
+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"
+		elog "You should however generate new keys using rsa or ed25519."
+
+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"
+		elog "out of the box.  If you need this, please update your sshd_config explicitly."
+	fi
+	if ver_replacing -lt "7.6_p1"; then
+		elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+		elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+	fi
+	if ver_replacing -lt "7.7_p1"; then
+		elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+		elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+		elog "if you need to authenticate against LDAP."
+		elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+	fi
+	if ver_replacing -lt "8.2_p1"; then
+		ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+		ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+		ewarn "connection is generally safe."
+	fi
+	if ver_replacing -lt "9.2_p1-r1" && systemd_is_booted; then
+		ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
+		ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
+		ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
+		ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
+		ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
+		ewarn "set 'Restart=no' in your sshd unit file."
+	fi
 
 	if [[ -n ${show_ssl_warning} ]]; then
 		elog "Be aware that by disabling openssl support in openssh, the server and clients"