FREEBSD-upgrade revision 181091
1139823Simp 221259Swollman 321259Swollman FreeBSD maintainer's guide to OpenSSH-portable 421259Swollman ============================================== 521259Swollman 621259Swollman 721259Swollman0) Make sure your mail spool has plenty of free space. It'll fill up 821259Swollman pretty fast once you're done with this checklist. 921259Swollman 1021259Swollman1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 1121259Swollman site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 1221259Swollman 1321259Swollman2) Unpack the tarball in a suitable directory. 1421259Swollman 1521259Swollman $ tar xf openssh-X.YpZ.tar.gz \ 1621259Swollman -X /usr/src/crypto/openssh/FREEBSD-Xlist 1721259Swollman 1821259Swollman3) Remove trash: 1921259Swollman 2021259Swollman Make sure -X took care of everything, and if it didn't, make sure 2121259Swollman to update FREEBSD-Xlist so you won't miss it the next time. A good 2221259Swollman way to do this is to run a test import and see if any new files 2321259Swollman show up: 2421259Swollman 2521259Swollman $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N 2621259Swollman 2721259Swollman4) Import the sources: 2821259Swollman 2921259Swollman $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ 3050477Speter 3121259Swollman5) Resolve conflicts. Remember to bump the version number and 3221259Swollman addendum in version.h, and update the default value in 3321259Swollman ssh{,d}_config and ssh{,d}_config.5. 3421259Swollman 3521259Swollman6) Generate configure and config.h.in: 3621259Swollman 3721259Swollman $ autoconf 3821259Swollman $ autoheader 3921259Swollman 4021259Swollman Note: this requires a recent version of autoconf, not autoconf213. 4121259Swollman 4221259Swollman7) Run configure with the appropriate arguments: 4321259Swollman 4421259Swollman $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 4521259Swollman --with-pam --with-tcp-wrappers --with-libedit \ 4621259Swollman --with-ssl-engine 4721259Swollman 4821259Swollman This will regenerate config.h, which must be committed along with 4921259Swollman the rest. 5021259Swollman 51108533Sschweikh Note that we don't want to configure OpenSSH for Kerberos using 5221259Swollman configure since we have to be able to turn it on or off depending 5321259Swollman on the value of MK_KERBEROS. Our Makefiles take care of this. 5421259Swollman 5521259Swollman8) If source files have been added or removed, update the appropriate 56108533Sschweikh makefiles to reflect changes in the vendor's Makefile.in. 5721259Swollman 5821259Swollman9) Build libssh. Follow the instructions in ssh_namespace.h to get a 5921259Swollman list of new symbols. Update ssh_namespace.h, build everything, 6021259Swollman install and test. 6121259Swollman 6221259SwollmanA) Build and test the pam_ssh PAM module. It gropes around libssh's 6321259Swollman internals and will break if something significant changes or if 6421259Swollman ssh_namespace.h is out of whack. 6521259Swollman 6683366SjulianB) Re-commit everything on repoman (you *did* use a test repo for 6721259Swollman this, didn't you?) 6885074Sru 6921259Swollman 7021259Swollman 71142215Sglebius An overview of FreeBSD changes to OpenSSH-portable 72155051Sglebius ================================================== 7321259Swollman 7421259Swollman0) VersionAddendum 7521259Swollman 7621259Swollman The SSH protocol allows for a human-readable version string of up 7769224Sjlemon to 40 characters to be appended to the protocol version string. 7869152Sjlemon FreeBSD takes advantage of this to include a date indicating the 79126264Smlaier "patch level", so people can easily determine whether their system 8069224Sjlemon is vulnerable when an OpenSSH advisory goes out. Some people, 8174914Sjhb however, dislike advertising their patch level in the protocol 8274914Sjhb handshake, so we've added a VersionAddendum configuration variable 8383130Sjlemon to allow them to change or disable it. 84132712Srwatson 8569152Sjlemon1) Modified server-side defaults 86121816Sbrooks 87121816Sbrooks We've modified some configuration defaults in sshd: 88130416Smlaier 89130416Smlaier - PasswordAuthentication defaults to "no" when PAM is enabled. 9060938Sjake 9160938Sjake - For protocol version 2, we don't load RSA host keys by 9260938Sjake default. If both RSA and DSA keys are present, we prefer DSA 9372084Sphk to RSA. 94159781Smlaier 9521259Swollman - LoginGraceTime defaults to 120 seconds instead of 600. 9621259Swollman 9721259Swollman - PermitRootLogin defaults to "no". 9821259Swollman 9921259Swollman - X11Forwarding defaults to "yes" (it's a threat to the client, 10021259Swollman not to the server.) 10121259Swollman 10221259Swollman2) Modified client-side defaults 10321259Swollman 10421259Swollman We've modified some configuration defaults in ssh: 10569152Sjlemon 10621259Swollman - For protocol version 2, if both RSA and DSA keys are present, 10721259Swollman we prefer DSA to RSA. 10821259Swollman 10921259Swollman - CheckHostIP defaults to "no". 11021259Swollman 11121259Swollman3) Canonic host names 11221259Swollman 11384380Smjacob We've added code to ssh.c to canonicize the target host name after 11421259Swollman reading options but before trying to connect. This eliminates the 11521259Swollman usual problem with duplicate known_hosts entries. 116147256Sbrooks 11760938Sjake4) setusercontext() environment 118121816Sbrooks 119121816Sbrooks Our setusercontext(3) can set environment variables, which we must 120121816Sbrooks take care to transfer to the child's environment. 12121259Swollman 122128291Sluigi 123128291Sluigi 124128315SluigiThis port was brought to you by (in no particular order) DARPA, NAI 125128315SluigiLabs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 126128315SluigiSuzanne Vega, and a Sanford's #69 Deluxe Marker. 127128315Sluigi 128128291Sluigi -- des@FreeBSD.org 129128315Sluigi 130152315Sru$FreeBSD: head/crypto/openssh/FREEBSD-upgrade 181091 2008-08-01 00:28:50Z des $ 131128291Sluigi