FREEBSD-upgrade revision 247892
1 2 3 FreeBSD maintainer's guide to OpenSSH-portable 4 ============================================== 5 6[needs rewriting for svn] 7 80) Make sure your mail spool has plenty of free space. It'll fill up 9 pretty fast once you're done with this checklist. 10 111) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 12 site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 13 142) Unpack the tarball in a suitable directory. 15 16 $ tar xf openssh-X.YpZ.tar.gz \ 17 -X /usr/src/crypto/openssh/FREEBSD-Xlist 18 193) Remove trash: 20 21 Make sure -X took care of everything, and if it didn't, make sure 22 to update FREEBSD-Xlist so you won't miss it the next time. A good 23 way to do this is to run a test import and see if any new files 24 show up: 25 26 $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N 27 284) Import the sources: 29 30 $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ 31 325) Resolve conflicts. Remember to bump the version number and 33 addendum in version.h, and update the default value in 34 ssh{,d}_config and ssh{,d}_config.5. 35 366) Generate configure and config.h.in: 37 38 $ autoconf 39 $ autoheader 40 41 Note: this requires a recent version of autoconf, not autoconf213. 42 437) Run configure with the appropriate arguments: 44 45 $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 46 --disable-lastlog --disable-utmp --disable-wtmp \ 47 --with-pam --with-tcp-wrappers --with-libedit \ 48 --with-ssl-engine 49 50 This will regenerate config.h, which must be committed along with 51 the rest. 52 53 Note that we don't want to configure OpenSSH for Kerberos using 54 configure since we have to be able to turn it on or off depending 55 on the value of MK_KERBEROS. Our Makefiles take care of this. 56 578) If source files have been added or removed, update the appropriate 58 makefiles to reflect changes in the vendor's Makefile.in. 59 609) Build libssh. Follow the instructions in ssh_namespace.h to get a 61 list of new symbols. Update ssh_namespace.h, build everything, 62 install and test. 63 64A) Build and test the pam_ssh PAM module. It gropes around libssh's 65 internals and will break if something significant changes or if 66 ssh_namespace.h is out of whack. 67 68B) Re-commit everything on repoman (you *did* use a test repo for 69 this, didn't you?) 70 71 72 73 An overview of FreeBSD changes to OpenSSH-portable 74 ================================================== 75 760) VersionAddendum 77 78 The SSH protocol allows for a human-readable version string of up 79 to 40 characters to be appended to the protocol version string. 80 FreeBSD takes advantage of this to include a date indicating the 81 "patch level", so people can easily determine whether their system 82 is vulnerable when an OpenSSH advisory goes out. Some people, 83 however, dislike advertising their patch level in the protocol 84 handshake, so we've added a VersionAddendum configuration variable 85 to allow them to change or disable it. 86 871) Modified server-side defaults 88 89 We've modified some configuration defaults in sshd: 90 91 - PasswordAuthentication defaults to "no". 92 93 - LoginGraceTime defaults to 120 seconds instead of 600. 94 95 - PermitRootLogin defaults to "no". 96 97 - X11Forwarding defaults to "yes" (it's a threat to the client, 98 not to the server.) 99 1002) Modified client-side defaults 101 102 We've modified some configuration defaults in ssh: 103 104 - CheckHostIP defaults to "no". 105 1063) Canonic host names 107 108 We've added code to ssh.c to canonicize the target host name after 109 reading options but before trying to connect. This eliminates the 110 usual problem with duplicate known_hosts entries. 111 1124) setusercontext() environment 113 114 Our setusercontext(3) can set environment variables, which we must 115 take care to transfer to the child's environment. 116 117 118 119This port was brought to you by (in no particular order) DARPA, NAI 120Labs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 121Suzanne Vega, and a Sanford's #69 Deluxe Marker. 122 123 -- des@FreeBSD.org 124 125$FreeBSD: head/crypto/openssh/FREEBSD-upgrade 247892 2013-03-06 13:46:20Z des $ 126