199045Sdes
299045Sdes
399045Sdes	    FreeBSD maintainer's guide to OpenSSH-portable
499045Sdes	    ==============================================
599045Sdes
6255829SdesXXX
7255829SdesXXX this needs a complete rewrite
8255829SdesXXX svn merge from vendor branch, resolve conflicts manually
9255829SdesXXX   (see FREEBSD-tricks for tips on how to reduce conflicts)
10255829SdesXXX run freebsd-configure.sh to generate config.h and krb5_config.h
11255829SdesXXX svn diff Makefile.in to see if the Makefiles need adjusting
12255829SdesXXX
1399045Sdes
1499045Sdes0) Make sure your mail spool has plenty of free space.  It'll fill up
1599045Sdes   pretty fast once you're done with this checklist.
1699045Sdes
1799045Sdes1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
1899045Sdes   site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
1999045Sdes
2099045Sdes2) Unpack the tarball in a suitable directory.
2199045Sdes
22176070Sdes	$ tar xf openssh-X.YpZ.tar.gz \
23176070Sdes		-X /usr/src/crypto/openssh/FREEBSD-Xlist
24176070Sdes
2599045Sdes3) Remove trash:
2699045Sdes
27176070Sdes   Make sure -X took care of everything, and if it didn't, make sure
28124213Sdes   to update FREEBSD-Xlist so you won't miss it the next time.  A good
29124213Sdes   way to do this is to run a test import and see if any new files
30124213Sdes   show up:
3199045Sdes
32124213Sdes	$ cvs -n import src/crypto/openssh OPENSSH x | grep \^N
33124213Sdes
3499045Sdes4) Import the sources:
3599045Sdes
36103108Skuriyama	$ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ
3799045Sdes
3899045Sdes5) Resolve conflicts.  Remember to bump the version number and
39124213Sdes   addendum in version.h, and update the default value in
40124213Sdes   ssh{,d}_config and ssh{,d}_config.5.
4199045Sdes
4299045Sdes6) Generate configure and config.h.in:
4399045Sdes
4499045Sdes	$ autoconf
4599045Sdes	$ autoheader
4699045Sdes
4799045Sdes   Note: this requires a recent version of autoconf, not autoconf213.
4899045Sdes
4999045Sdes7) Run configure with the appropriate arguments:
5099045Sdes
5199045Sdes	$ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
52162952Sdes		--with-pam --with-tcp-wrappers --with-libedit \
53162952Sdes		--with-ssl-engine
5499045Sdes
55162952Sdes   This will regenerate config.h, which must be committed along with
56162952Sdes   the rest.
57162952Sdes
5899045Sdes   Note that we don't want to configure OpenSSH for Kerberos using
5999045Sdes   configure since we have to be able to turn it on or off depending
60156813Sru   on the value of MK_KERBEROS.  Our Makefiles take care of this.
6199045Sdes
62162952Sdes8) If source files have been added or removed, update the appropriate
63162952Sdes   makefiles to reflect changes in the vendor's Makefile.in.
6499045Sdes
65162952Sdes9) Build libssh.  Follow the instructions in ssh_namespace.h to get a
66162952Sdes   list of new symbols.  Update ssh_namespace.h, build everything,
67162952Sdes   install and test.
6899045Sdes
69162952SdesA) Build and test the pam_ssh PAM module.  It gropes around libssh's
70162952Sdes   internals and will break if something significant changes or if
71162952Sdes   ssh_namespace.h is out of whack.
72162952Sdes
73162952SdesB) Re-commit everything on repoman (you *did* use a test repo for
7499045Sdes   this, didn't you?)
7599045Sdes
7699045Sdes
7799045Sdes
7899045Sdes	  An overview of FreeBSD changes to OpenSSH-portable
7999045Sdes	  ==================================================
8099045Sdes
8199045Sdes0) VersionAddendum
8299045Sdes
8399045Sdes   The SSH protocol allows for a human-readable version string of up
8499045Sdes   to 40 characters to be appended to the protocol version string.
8599045Sdes   FreeBSD takes advantage of this to include a date indicating the
8699045Sdes   "patch level", so people can easily determine whether their system
8799045Sdes   is vulnerable when an OpenSSH advisory goes out.  Some people,
8899045Sdes   however, dislike advertising their patch level in the protocol
8999045Sdes   handshake, so we've added a VersionAddendum configuration variable
9099045Sdes   to allow them to change or disable it.
9199045Sdes
9299045Sdes1) Modified server-side defaults
9399045Sdes
9499045Sdes   We've modified some configuration defaults in sshd:
9599045Sdes
96181111Sdes      - PasswordAuthentication defaults to "no".
97126278Sdes
9899045Sdes      - LoginGraceTime defaults to 120 seconds instead of 600.
9999045Sdes
10099045Sdes      - PermitRootLogin defaults to "no".
10199045Sdes
10299045Sdes      - X11Forwarding defaults to "yes" (it's a threat to the client,
10399045Sdes        not to the server.)
10499045Sdes
10599045Sdes2) Modified client-side defaults
10699045Sdes
10799045Sdes   We've modified some configuration defaults in ssh:
10899045Sdes
10999045Sdes      - CheckHostIP defaults to "no".
11099045Sdes
11199045Sdes3) Canonic host names
11299045Sdes
11399045Sdes   We've added code to ssh.c to canonicize the target host name after
11499045Sdes   reading options but before trying to connect.  This eliminates the
11599045Sdes   usual problem with duplicate known_hosts entries.
11699045Sdes
117181091Sdes4) setusercontext() environment
11899045Sdes
11999045Sdes   Our setusercontext(3) can set environment variables, which we must
12099045Sdes   take care to transfer to the child's environment.
12199045Sdes
12299045Sdes
12399045Sdes
12499045SdesThis port was brought to you by (in no particular order) DARPA, NAI
125255829SdesLabs, ThinkSec, Nescaf��, the Aberlour Glenlivet Distillery Co.,
12699045SdesSuzanne Vega, and a Sanford's #69 Deluxe Marker.
12799045Sdes
12899045Sdes					-- des@FreeBSD.org
12999045Sdes
13099045Sdes$FreeBSD$
131