FREEBSD-upgrade revision 99045
155714Skris 255714Skris 355714Skris FreeBSD maintainer's guide to OpenSSH-portable 455714Skris ============================================== 555714Skris 655714Skris 755714Skris0) Make sure your mail spool has plenty of free space. It'll fill up 8280304Sjkim pretty fast once you're done with this checklist. 955714Skris 1055714Skris1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 1155714Skris site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 1255714Skris 1355714Skris2) Unpack the tarball in a suitable directory. 1455714Skris 15280304Sjkim3) Remove trash: 1655714Skris 1755714Skris $ rm -rf $(cat FREEBSD-Xlist) 1855714Skris 1955714Skris Make sure that took care of everything, and if it didn't, make sure 2055714Skris to update FREEBSD-Xlist so you won't miss it the next time. 2155714Skris 22280304Sjkim4) Import the sources: 2355714Skris 2455714Skris $ cvs import src/crypto/openssh-portable OPENSSH OpenSSH_X_YpZ 2555714Skris 2655714Skris5) Resolve conflicts. Remember to bump the version number and 2755714Skris addendum in version.h. 2855714Skris 2955714Skris6) Generate configure and config.h.in: 3055714Skris 3155714Skris $ autoconf 3255714Skris $ autoheader 3355714Skris 3455714Skris Note: this requires a recent version of autoconf, not autoconf213. 3555714Skris 3655714Skris7) Run configure with the appropriate arguments: 37280304Sjkim 3855714Skris $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 3955714Skris --with-pam --with-opie --with-tcp-wrappers 40280304Sjkim 4155714Skris Note that we don't want to configure OpenSSH for Kerberos using 4255714Skris configure since we have to be able to turn it on or off depending 4355714Skris on the value of MAKE_KERBEROS[45]. Our Makefiles take care of 4455714Skris this. 4555714Skris 4655714Skris8) Commit the resulting config.h. Make sure you don't accidentally 4755714Skris commit any other files created by autoconf, autoheader or 4855714Skris configure; they'll just clutter up the repo and cause trouble at 4955714Skris the next upgrade. 5055714Skris 5155714Skris9) Build and test. 52280304Sjkim 5355714SkrisA) Re-commit everything on freefall (you *did* use a test repo for 5455714Skris this, didn't you?) 5555714Skris 5655714Skris 5755714Skris 5855714Skris An overview of FreeBSD changes to OpenSSH-portable 5955714Skris ================================================== 6055714Skris 6155714Skris0) VersionAddendum 62160814Ssimon 63280304Sjkim The SSH protocol allows for a human-readable version string of up 64280304Sjkim to 40 characters to be appended to the protocol version string. 65280304Sjkim FreeBSD takes advantage of this to include a date indicating the 6655714Skris "patch level", so people can easily determine whether their system 67280304Sjkim is vulnerable when an OpenSSH advisory goes out. Some people, 68280304Sjkim however, dislike advertising their patch level in the protocol 69280304Sjkim handshake, so we've added a VersionAddendum configuration variable 70194206Ssimon to allow them to change or disable it. 71160814Ssimon 72160814Ssimon1) Modified server-side defaults 7355714Skris 74280304Sjkim We've modified some configuration defaults in sshd: 75280304Sjkim 76280304Sjkim - For protocol version 2, we don't load RSA host keys by 77280304Sjkim default. If both RSA and DSA keys are present, we prefer DSA 78280304Sjkim to RSA. 79280304Sjkim 80280304Sjkim - LoginGraceTime defaults to 120 seconds instead of 600. 81280304Sjkim 82280304Sjkim - PermitRootLogin defaults to "no". 83280304Sjkim 84280304Sjkim - X11Forwarding defaults to "yes" (it's a threat to the client, 85280304Sjkim not to the server.) 86280304Sjkim 87280304Sjkim - Unless the config file says otherwise, we automatically enable 88280304Sjkim Kerberos support if an appropriate keytab is present. 89280304Sjkim 90160814Ssimon - PAMAuthenticationViaKbdInt defaults to "yes". 91160814Ssimon 92280304Sjkim2) Modified client-side defaults 93280304Sjkim 94280304Sjkim We've modified some configuration defaults in ssh: 95280304Sjkim 9655714Skris - For protocol version 2, if both RSA and DSA keys are present, 97280304Sjkim we prefer DSA to RSA. 98280304Sjkim 9955714Skris - CheckHostIP defaults to "no". 100280304Sjkim 101280304Sjkim3) Canonic host names 102280304Sjkim 103280304Sjkim We've added code to ssh.c to canonicize the target host name after 104280304Sjkim reading options but before trying to connect. This eliminates the 10555714Skris usual problem with duplicate known_hosts entries. 106280304Sjkim 107280304Sjkim4) OPIE 108280304Sjkim 109280304Sjkim We've added support for using OPIE as a drop-in replacement for 11055714Skris S/Key. 111280304Sjkim 112280304Sjkim5) PAM 113280304Sjkim 114280304Sjkim We use our own PAM code, which wraps PAM in a KbdintDevice and 115280304Sjkim works with privsep, instead of OpenSSH's own PAM code. 11655714Skris 117280304Sjkim6) setusercontext() environment 118280304Sjkim 119280304Sjkim Our setusercontext(3) can set environment variables, which we must 12055714Skris take care to transfer to the child's environment. 121280304Sjkim 122280304Sjkim 123280304Sjkim 124280304SjkimThis port was brought to you by (in no particular order) DARPA, NAI 125280304SjkimLabs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 126280304SjkimSuzanne Vega, and a Sanford's #69 Deluxe Marker. 127160814Ssimon 128280304Sjkim -- des@FreeBSD.org 129280304Sjkim 130280304Sjkim$FreeBSD: head/crypto/openssh/FREEBSD-upgrade 99045 2002-06-29 10:39:14Z des $ 13155714Skris