FREEBSD-upgrade revision 181097 
1157089Simp
2157089Simp
3248911Sian	    FreeBSD maintainer's guide to OpenSSH-portable
4157089Simp	    ==============================================
5157089Simp
6157089Simp
7157089Simp0) Make sure your mail spool has plenty of free space.  It'll fill up
8157089Simp   pretty fast once you're done with this checklist.
9157089Simp
10157089Simp1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
11157089Simp   site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
12157089Simp
13157089Simp2) Unpack the tarball in a suitable directory.
14185265Simp
15185265Simp	$ tar xf openssh-X.YpZ.tar.gz \
16185265Simp		-X /usr/src/crypto/openssh/FREEBSD-Xlist
17185265Simp
18185265Simp3) Remove trash:
19185265Simp
20185265Simp   Make sure -X took care of everything, and if it didn't, make sure
21185265Simp   to update FREEBSD-Xlist so you won't miss it the next time.  A good
22185265Simp   way to do this is to run a test import and see if any new files
23185265Simp   show up:
24185265Simp
25157089Simp	$ cvs -n import src/crypto/openssh OPENSSH x | grep \^N
26157089Simp
27261682Simp4) Import the sources:
28261682Simp
29157089Simp	$ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ
30157089Simp
31157089Simp5) Resolve conflicts.  Remember to bump the version number and
32157089Simp   addendum in version.h, and update the default value in
33157089Simp   ssh{,d}_config and ssh{,d}_config.5.
34157089Simp
35157089Simp6) Generate configure and config.h.in:
36157089Simp
37157089Simp	$ autoconf
38157089Simp	$ autoheader
39157089Simp
40157089Simp   Note: this requires a recent version of autoconf, not autoconf213.
41248911Sian
42157089Simp7) Run configure with the appropriate arguments:
43248911Sian
44248911Sian	$ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
45248911Sian		--with-pam --with-tcp-wrappers --with-libedit \
46248911Sian		--with-ssl-engine
47157089Simp
48157089Simp   This will regenerate config.h, which must be committed along with
49213496Scognet   the rest.
50157089Simp
51160072Simp   Note that we don't want to configure OpenSSH for Kerberos using
52157089Simp   configure since we have to be able to turn it on or off depending
53261682Simp   on the value of MK_KERBEROS.  Our Makefiles take care of this.
54261682Simp
55261682Simp8) If source files have been added or removed, update the appropriate
56261682Simp   makefiles to reflect changes in the vendor's Makefile.in.
57261682Simp
58261682Simp9) Build libssh.  Follow the instructions in ssh_namespace.h to get a
59248911Sian   list of new symbols.  Update ssh_namespace.h, build everything,
60248911Sian   install and test.
61157089Simp
62157089SimpA) Build and test the pam_ssh PAM module.  It gropes around libssh's
63157089Simp   internals and will break if something significant changes or if
64157089Simp   ssh_namespace.h is out of whack.
65157089Simp
66157089SimpB) Re-commit everything on repoman (you *did* use a test repo for
67248911Sian   this, didn't you?)
68157089Simp
69248911Sian
70248911Sian
71248911Sian	  An overview of FreeBSD changes to OpenSSH-portable
72157089Simp	  ==================================================
73234281Smarius
74157089Simp0) VersionAddendum
75157089Simp
76157089Simp   The SSH protocol allows for a human-readable version string of up
77157089Simp   to 40 characters to be appended to the protocol version string.
78157089Simp   FreeBSD takes advantage of this to include a date indicating the
79234281Smarius   "patch level", so people can easily determine whether their system
80213496Scognet   is vulnerable when an OpenSSH advisory goes out.  Some people,
81157089Simp   however, dislike advertising their patch level in the protocol
82157089Simp   handshake, so we've added a VersionAddendum configuration variable
83157089Simp   to allow them to change or disable it.
84157089Simp
85157089Simp1) Modified server-side defaults
86234281Smarius
87157089Simp   We've modified some configuration defaults in sshd:
88157089Simp
89157089Simp      - PasswordAuthentication defaults to "no" when PAM is enabled.
90248911Sian
91248911Sian      - For protocol version 2, we don't load RSA host keys by
92234281Smarius        default.  If both RSA and DSA keys are present, we prefer DSA
93248911Sian        to RSA.
94248911Sian
95248911Sian      - LoginGraceTime defaults to 120 seconds instead of 600.
96248911Sian
97234281Smarius      - PermitRootLogin defaults to "no".
98157089Simp
99157089Simp      - X11Forwarding defaults to "yes" (it's a threat to the client,
100157089Simp        not to the server.)
101157089Simp
102157089Simp2) Modified client-side defaults
103157089Simp
104157089Simp   We've modified some configuration defaults in ssh:
105157089Simp
106248911Sian      - For protocol version 2, if both RSA and DSA keys are present,
107157089Simp        we prefer DSA to RSA.
108157089Simp
109157089Simp      - CheckHostIP defaults to "no".
110157089Simp
111157089Simp3) Canonic host names
112157089Simp
113157089Simp   We've added code to ssh.c to canonicize the target host name after
114157089Simp   reading options but before trying to connect.  This eliminates the
115248911Sian   usual problem with duplicate known_hosts entries.
116248911Sian
117157089Simp4) setusercontext() environment
118157089Simp
119157089Simp   Our setusercontext(3) can set environment variables, which we must
120157089Simp   take care to transfer to the child's environment.
121157089Simp
122157089Simp
123157089Simp
124248911SianThis port was brought to you by (in no particular order) DARPA, NAI
125248911SianLabs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co.,
126157089SimpSuzanne Vega, and a Sanford's #69 Deluxe Marker.
127157089Simp
128157089Simp					-- des@FreeBSD.org
129157089Simp
130157089Simp$FreeBSD: head/crypto/openssh/FREEBSD-upgrade 181097 2008-08-01 01:13:41Z des $
131157089Simp