FREEBSD-upgrade revision 99454
1139749Simp 2130407Sdfr 3130407Sdfr FreeBSD maintainer's guide to OpenSSH-portable 4130407Sdfr ============================================== 5130407Sdfr 6130407Sdfr 7130407Sdfr0) Make sure your mail spool has plenty of free space. It'll fill up 8130407Sdfr pretty fast once you're done with this checklist. 9130407Sdfr 10130407Sdfr1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 11130407Sdfr site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 12130407Sdfr 13130407Sdfr2) Unpack the tarball in a suitable directory. 14130407Sdfr 15130407Sdfr3) Remove trash: 16130407Sdfr 17130407Sdfr $ rm -rf $(cat FREEBSD-Xlist) 18130407Sdfr 19130407Sdfr Make sure that took care of everything, and if it didn't, make sure 20130407Sdfr to update FREEBSD-Xlist so you won't miss it the next time. 21130407Sdfr 22130407Sdfr4) Import the sources: 23130407Sdfr 24130407Sdfr $ cvs import src/crypto/openssh-portable OPENSSH OpenSSH_X_YpZ 25130407Sdfr 26130407Sdfr5) Resolve conflicts. Remember to bump the version number and 27130407Sdfr addendum in version.h. 28130407Sdfr 29130407Sdfr6) Generate configure and config.h.in: 30130407Sdfr 31130407Sdfr $ autoconf 32130407Sdfr $ autoheader 33130407Sdfr 34130407Sdfr Note: this requires a recent version of autoconf, not autoconf213. 35130407Sdfr 36130407Sdfr7) Run configure with the appropriate arguments: 37130407Sdfr 38130407Sdfr $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 39130407Sdfr --with-pam --with-tcp-wrappers 40130407Sdfr 41130407Sdfr Note that we don't want to configure OpenSSH for Kerberos using 42130407Sdfr configure since we have to be able to turn it on or off depending 43130407Sdfr on the value of MAKE_KERBEROS[45]. Our Makefiles take care of 44130407Sdfr this. 45130407Sdfr 46130407Sdfr8) Commit the resulting config.h. Make sure you don't accidentally 47130407Sdfr commit any other files created by autoconf, autoheader or 48130407Sdfr configure; they'll just clutter up the repo and cause trouble at 49130407Sdfr the next upgrade. 50130407Sdfr 51130411Sdfr9) Build and test. 52130411Sdfr 53130411SdfrA) Re-commit everything on freefall (you *did* use a test repo for 54130411Sdfr this, didn't you?) 55130411Sdfr 56130411Sdfr 57130407Sdfr 58130407Sdfr An overview of FreeBSD changes to OpenSSH-portable 59130407Sdfr ================================================== 60130407Sdfr 61130407Sdfr0) VersionAddendum 62130407Sdfr 63130407Sdfr The SSH protocol allows for a human-readable version string of up 64130407Sdfr to 40 characters to be appended to the protocol version string. 65 FreeBSD takes advantage of this to include a date indicating the 66 "patch level", so people can easily determine whether their system 67 is vulnerable when an OpenSSH advisory goes out. Some people, 68 however, dislike advertising their patch level in the protocol 69 handshake, so we've added a VersionAddendum configuration variable 70 to allow them to change or disable it. 71 721) Modified server-side defaults 73 74 We've modified some configuration defaults in sshd: 75 76 - For protocol version 2, we don't load RSA host keys by 77 default. If both RSA and DSA keys are present, we prefer DSA 78 to RSA. 79 80 - LoginGraceTime defaults to 120 seconds instead of 600. 81 82 - PermitRootLogin defaults to "no". 83 84 - X11Forwarding defaults to "yes" (it's a threat to the client, 85 not to the server.) 86 87 - Unless the config file says otherwise, we automatically enable 88 Kerberos support if an appropriate keytab is present. 89 90 - PAMAuthenticationViaKbdInt defaults to "yes". 91 922) Modified client-side defaults 93 94 We've modified some configuration defaults in ssh: 95 96 - For protocol version 2, if both RSA and DSA keys are present, 97 we prefer DSA to RSA. 98 99 - CheckHostIP defaults to "no". 100 1013) Canonic host names 102 103 We've added code to ssh.c to canonicize the target host name after 104 reading options but before trying to connect. This eliminates the 105 usual problem with duplicate known_hosts entries. 106 1074) OPIE 108 109 We've added support for using OPIE as a drop-in replacement for 110 S/Key. 111 1125) PAM 113 114 We use our own PAM code, which wraps PAM in a KbdintDevice and 115 works with privsep, instead of OpenSSH's own PAM code. 116 1176) setusercontext() environment 118 119 Our setusercontext(3) can set environment variables, which we must 120 take care to transfer to the child's environment. 121 122 123 124This port was brought to you by (in no particular order) DARPA, NAI 125Labs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 126Suzanne Vega, and a Sanford's #69 Deluxe Marker. 127 128 -- des@FreeBSD.org 129 130$FreeBSD: head/crypto/openssh/FREEBSD-upgrade 99454 2002-07-05 15:25:55Z des $ 131