199045Sdes 299045Sdes 399045Sdes FreeBSD maintainer's guide to OpenSSH-portable 499045Sdes ============================================== 599045Sdes 6255829SdesXXX 7255829SdesXXX this needs a complete rewrite 8255829SdesXXX svn merge from vendor branch, resolve conflicts manually 9255829SdesXXX (see FREEBSD-tricks for tips on how to reduce conflicts) 10255829SdesXXX run freebsd-configure.sh to generate config.h and krb5_config.h 11255829SdesXXX svn diff Makefile.in to see if the Makefiles need adjusting 12255829SdesXXX 1399045Sdes 1499045Sdes0) Make sure your mail spool has plenty of free space. It'll fill up 1599045Sdes pretty fast once you're done with this checklist. 1699045Sdes 1799045Sdes1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 1899045Sdes site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 1999045Sdes 2099045Sdes2) Unpack the tarball in a suitable directory. 2199045Sdes 22176070Sdes $ tar xf openssh-X.YpZ.tar.gz \ 23176070Sdes -X /usr/src/crypto/openssh/FREEBSD-Xlist 24176070Sdes 2599045Sdes3) Remove trash: 2699045Sdes 27176070Sdes Make sure -X took care of everything, and if it didn't, make sure 28124213Sdes to update FREEBSD-Xlist so you won't miss it the next time. A good 29124213Sdes way to do this is to run a test import and see if any new files 30124213Sdes show up: 3199045Sdes 32124213Sdes $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N 33124213Sdes 3499045Sdes4) Import the sources: 3599045Sdes 36103108Skuriyama $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ 3799045Sdes 3899045Sdes5) Resolve conflicts. Remember to bump the version number and 39124213Sdes addendum in version.h, and update the default value in 40124213Sdes ssh{,d}_config and ssh{,d}_config.5. 4199045Sdes 4299045Sdes6) Generate configure and config.h.in: 4399045Sdes 4499045Sdes $ autoconf 4599045Sdes $ autoheader 4699045Sdes 4799045Sdes Note: this requires a recent version of autoconf, not autoconf213. 4899045Sdes 4999045Sdes7) Run configure with the appropriate arguments: 5099045Sdes 5199045Sdes $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 52162952Sdes --with-pam --with-tcp-wrappers --with-libedit \ 53162952Sdes --with-ssl-engine 5499045Sdes 55162952Sdes This will regenerate config.h, which must be committed along with 56162952Sdes the rest. 57162952Sdes 5899045Sdes Note that we don't want to configure OpenSSH for Kerberos using 5999045Sdes configure since we have to be able to turn it on or off depending 60156813Sru on the value of MK_KERBEROS. Our Makefiles take care of this. 6199045Sdes 62162952Sdes8) If source files have been added or removed, update the appropriate 63162952Sdes makefiles to reflect changes in the vendor's Makefile.in. 6499045Sdes 65162952Sdes9) Build libssh. Follow the instructions in ssh_namespace.h to get a 66162952Sdes list of new symbols. Update ssh_namespace.h, build everything, 67162952Sdes install and test. 6899045Sdes 69162952SdesA) Build and test the pam_ssh PAM module. It gropes around libssh's 70162952Sdes internals and will break if something significant changes or if 71162952Sdes ssh_namespace.h is out of whack. 72162952Sdes 73162952SdesB) Re-commit everything on repoman (you *did* use a test repo for 7499045Sdes this, didn't you?) 7599045Sdes 7699045Sdes 7799045Sdes 7899045Sdes An overview of FreeBSD changes to OpenSSH-portable 7999045Sdes ================================================== 8099045Sdes 8199045Sdes0) VersionAddendum 8299045Sdes 8399045Sdes The SSH protocol allows for a human-readable version string of up 8499045Sdes to 40 characters to be appended to the protocol version string. 8599045Sdes FreeBSD takes advantage of this to include a date indicating the 8699045Sdes "patch level", so people can easily determine whether their system 8799045Sdes is vulnerable when an OpenSSH advisory goes out. Some people, 8899045Sdes however, dislike advertising their patch level in the protocol 8999045Sdes handshake, so we've added a VersionAddendum configuration variable 9099045Sdes to allow them to change or disable it. 9199045Sdes 9299045Sdes1) Modified server-side defaults 9399045Sdes 9499045Sdes We've modified some configuration defaults in sshd: 9599045Sdes 96181111Sdes - PasswordAuthentication defaults to "no". 97126278Sdes 9899045Sdes - LoginGraceTime defaults to 120 seconds instead of 600. 9999045Sdes 10099045Sdes - PermitRootLogin defaults to "no". 10199045Sdes 10299045Sdes - X11Forwarding defaults to "yes" (it's a threat to the client, 10399045Sdes not to the server.) 10499045Sdes 10599045Sdes2) Modified client-side defaults 10699045Sdes 10799045Sdes We've modified some configuration defaults in ssh: 10899045Sdes 10999045Sdes - CheckHostIP defaults to "no". 11099045Sdes 11199045Sdes3) Canonic host names 11299045Sdes 11399045Sdes We've added code to ssh.c to canonicize the target host name after 11499045Sdes reading options but before trying to connect. This eliminates the 11599045Sdes usual problem with duplicate known_hosts entries. 11699045Sdes 117181091Sdes4) setusercontext() environment 11899045Sdes 11999045Sdes Our setusercontext(3) can set environment variables, which we must 12099045Sdes take care to transfer to the child's environment. 12199045Sdes 12299045Sdes 12399045Sdes 12499045SdesThis port was brought to you by (in no particular order) DARPA, NAI 125255829SdesLabs, ThinkSec, Nescaf��, the Aberlour Glenlivet Distillery Co., 12699045SdesSuzanne Vega, and a Sanford's #69 Deluxe Marker. 12799045Sdes 12899045Sdes -- des@FreeBSD.org 12999045Sdes 13099045Sdes$FreeBSD$ 131