FREEBSD-upgrade revision 124970
198184Sgordon 298184Sgordon 398184Sgordon FreeBSD maintainer's guide to OpenSSH-portable 498184Sgordon ============================================== 598184Sgordon 698184Sgordon 798184Sgordon0) Make sure your mail spool has plenty of free space. It'll fill up 898184Sgordon pretty fast once you're done with this checklist. 998184Sgordon 1098184Sgordon1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 11104985Sschweikh site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 1298184Sgordon 132) Unpack the tarball in a suitable directory. 14 153) Remove trash: 16 17 $ tail +2 /usr/src/crypto/openssh/FREEBSD-Xlist | 18 while read glob ; do eval "rm -rvf $glob" ; done 19 20 Make sure that took care of everything, and if it didn't, make sure 21 to update FREEBSD-Xlist so you won't miss it the next time. A good 22 way to do this is to run a test import and see if any new files 23 show up: 24 25 $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N 26 274) Import the sources: 28 29 $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ 30 315) Resolve conflicts. Remember to bump the version number and 32 addendum in version.h, and update the default value in 33 ssh{,d}_config and ssh{,d}_config.5. 34 356) Generate configure and config.h.in: 36 37 $ autoconf 38 $ autoheader 39 40 Note: this requires a recent version of autoconf, not autoconf213. 41 427) Run configure with the appropriate arguments: 43 44 $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 45 --with-pam --with-tcp-wrappers 46 47 Note that we don't want to configure OpenSSH for Kerberos using 48 configure since we have to be able to turn it on or off depending 49 on the value of NO_KERBEROS. Our Makefiles take care of this. 50 518) Commit the resulting config.h. Make sure you don't accidentally 52 commit any other files created by autoconf, autoheader or 53 configure; they'll just clutter up the repo and cause trouble at 54 the next upgrade. 55 569) Build and test. 57 58A) Re-commit everything on freefall (you *did* use a test repo for 59 this, didn't you?) 60 61 62 63 An overview of FreeBSD changes to OpenSSH-portable 64 ================================================== 65 660) VersionAddendum 67 68 The SSH protocol allows for a human-readable version string of up 69 to 40 characters to be appended to the protocol version string. 70 FreeBSD takes advantage of this to include a date indicating the 71 "patch level", so people can easily determine whether their system 72 is vulnerable when an OpenSSH advisory goes out. Some people, 73 however, dislike advertising their patch level in the protocol 74 handshake, so we've added a VersionAddendum configuration variable 75 to allow them to change or disable it. 76 771) Modified server-side defaults 78 79 We've modified some configuration defaults in sshd: 80 81 - For protocol version 2, we don't load RSA host keys by 82 default. If both RSA and DSA keys are present, we prefer DSA 83 to RSA. 84 85 - LoginGraceTime defaults to 120 seconds instead of 600. 86 87 - PermitRootLogin defaults to "no". 88 89 - X11Forwarding defaults to "yes" (it's a threat to the client, 90 not to the server.) 91 922) Modified client-side defaults 93 94 We've modified some configuration defaults in ssh: 95 96 - For protocol version 2, if both RSA and DSA keys are present, 97 we prefer DSA to RSA. 98 99 - CheckHostIP defaults to "no". 100 1013) Canonic host names 102 103 We've added code to ssh.c to canonicize the target host name after 104 reading options but before trying to connect. This eliminates the 105 usual problem with duplicate known_hosts entries. 106 1074) OPIE 108 109 We've added support for using OPIE as a drop-in replacement for 110 S/Key. 111 1125) setusercontext() environment 113 114 Our setusercontext(3) can set environment variables, which we must 115 take care to transfer to the child's environment. 116 117 118 119This port was brought to you by (in no particular order) DARPA, NAI 120Labs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 121Suzanne Vega, and a Sanford's #69 Deluxe Marker. 122 123 -- des@FreeBSD.org 124 125$FreeBSD: head/crypto/openssh/FREEBSD-upgrade 124970 2004-01-25 13:09:56Z des $ 126