FREEBSD-upgrade revision 181097
1157089Simp 2157089Simp 3248911Sian FreeBSD maintainer's guide to OpenSSH-portable 4157089Simp ============================================== 5157089Simp 6157089Simp 7157089Simp0) Make sure your mail spool has plenty of free space. It'll fill up 8157089Simp pretty fast once you're done with this checklist. 9157089Simp 10157089Simp1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 11157089Simp site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 12157089Simp 13157089Simp2) Unpack the tarball in a suitable directory. 14185265Simp 15185265Simp $ tar xf openssh-X.YpZ.tar.gz \ 16185265Simp -X /usr/src/crypto/openssh/FREEBSD-Xlist 17185265Simp 18185265Simp3) Remove trash: 19185265Simp 20185265Simp Make sure -X took care of everything, and if it didn't, make sure 21185265Simp to update FREEBSD-Xlist so you won't miss it the next time. A good 22185265Simp way to do this is to run a test import and see if any new files 23185265Simp show up: 24185265Simp 25157089Simp $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N 26157089Simp 27261682Simp4) Import the sources: 28261682Simp 29157089Simp $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ 30157089Simp 31157089Simp5) Resolve conflicts. Remember to bump the version number and 32157089Simp addendum in version.h, and update the default value in 33157089Simp ssh{,d}_config and ssh{,d}_config.5. 34157089Simp 35157089Simp6) Generate configure and config.h.in: 36157089Simp 37157089Simp $ autoconf 38157089Simp $ autoheader 39157089Simp 40157089Simp Note: this requires a recent version of autoconf, not autoconf213. 41248911Sian 42157089Simp7) Run configure with the appropriate arguments: 43248911Sian 44248911Sian $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 45248911Sian --with-pam --with-tcp-wrappers --with-libedit \ 46248911Sian --with-ssl-engine 47157089Simp 48157089Simp This will regenerate config.h, which must be committed along with 49213496Scognet the rest. 50157089Simp 51160072Simp Note that we don't want to configure OpenSSH for Kerberos using 52157089Simp configure since we have to be able to turn it on or off depending 53261682Simp on the value of MK_KERBEROS. Our Makefiles take care of this. 54261682Simp 55261682Simp8) If source files have been added or removed, update the appropriate 56261682Simp makefiles to reflect changes in the vendor's Makefile.in. 57261682Simp 58261682Simp9) Build libssh. Follow the instructions in ssh_namespace.h to get a 59248911Sian list of new symbols. Update ssh_namespace.h, build everything, 60248911Sian install and test. 61157089Simp 62157089SimpA) Build and test the pam_ssh PAM module. It gropes around libssh's 63157089Simp internals and will break if something significant changes or if 64157089Simp ssh_namespace.h is out of whack. 65157089Simp 66157089SimpB) Re-commit everything on repoman (you *did* use a test repo for 67248911Sian this, didn't you?) 68157089Simp 69248911Sian 70248911Sian 71248911Sian An overview of FreeBSD changes to OpenSSH-portable 72157089Simp ================================================== 73234281Smarius 74157089Simp0) VersionAddendum 75157089Simp 76157089Simp The SSH protocol allows for a human-readable version string of up 77157089Simp to 40 characters to be appended to the protocol version string. 78157089Simp FreeBSD takes advantage of this to include a date indicating the 79234281Smarius "patch level", so people can easily determine whether their system 80213496Scognet is vulnerable when an OpenSSH advisory goes out. Some people, 81157089Simp however, dislike advertising their patch level in the protocol 82157089Simp handshake, so we've added a VersionAddendum configuration variable 83157089Simp to allow them to change or disable it. 84157089Simp 85157089Simp1) Modified server-side defaults 86234281Smarius 87157089Simp We've modified some configuration defaults in sshd: 88157089Simp 89157089Simp - PasswordAuthentication defaults to "no" when PAM is enabled. 90248911Sian 91248911Sian - For protocol version 2, we don't load RSA host keys by 92234281Smarius default. If both RSA and DSA keys are present, we prefer DSA 93248911Sian to RSA. 94248911Sian 95248911Sian - LoginGraceTime defaults to 120 seconds instead of 600. 96248911Sian 97234281Smarius - PermitRootLogin defaults to "no". 98157089Simp 99157089Simp - X11Forwarding defaults to "yes" (it's a threat to the client, 100157089Simp not to the server.) 101157089Simp 102157089Simp2) Modified client-side defaults 103157089Simp 104157089Simp We've modified some configuration defaults in ssh: 105157089Simp 106248911Sian - For protocol version 2, if both RSA and DSA keys are present, 107157089Simp we prefer DSA to RSA. 108157089Simp 109157089Simp - CheckHostIP defaults to "no". 110157089Simp 111157089Simp3) Canonic host names 112157089Simp 113157089Simp We've added code to ssh.c to canonicize the target host name after 114157089Simp reading options but before trying to connect. This eliminates the 115248911Sian usual problem with duplicate known_hosts entries. 116248911Sian 117157089Simp4) setusercontext() environment 118157089Simp 119157089Simp Our setusercontext(3) can set environment variables, which we must 120157089Simp take care to transfer to the child's environment. 121157089Simp 122157089Simp 123157089Simp 124248911SianThis port was brought to you by (in no particular order) DARPA, NAI 125248911SianLabs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 126157089SimpSuzanne Vega, and a Sanford's #69 Deluxe Marker. 127157089Simp 128157089Simp -- des@FreeBSD.org 129157089Simp 130157089Simp$FreeBSD: head/crypto/openssh/FREEBSD-upgrade 181097 2008-08-01 01:13:41Z des $ 131157089Simp