1ba11afccSDag-Erling Smørgrav 2ba11afccSDag-Erling Smørgrav 3ba11afccSDag-Erling Smørgrav FreeBSD maintainer's guide to OpenSSH-portable 4ba11afccSDag-Erling Smørgrav ============================================== 5ba11afccSDag-Erling Smørgrav 6ba11afccSDag-Erling Smørgrav 7ba11afccSDag-Erling Smørgrav0) Make sure your mail spool has plenty of free space. It'll fill up 8ba11afccSDag-Erling Smørgrav pretty fast once you're done with this checklist. 9ba11afccSDag-Erling Smørgrav 10ba11afccSDag-Erling Smørgrav1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 11ba11afccSDag-Erling Smørgrav site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 12ba11afccSDag-Erling Smørgrav 13ba11afccSDag-Erling Smørgrav2) Unpack the tarball in a suitable directory. 14ba11afccSDag-Erling Smørgrav 151c71974bSDag-Erling Smørgrav $ tar xf openssh-X.YpZ.tar.gz \ 161c71974bSDag-Erling Smørgrav -X /usr/src/crypto/openssh/FREEBSD-Xlist 171c71974bSDag-Erling Smørgrav 18ba11afccSDag-Erling Smørgrav3) Remove trash: 19ba11afccSDag-Erling Smørgrav 201c71974bSDag-Erling Smørgrav Make sure -X took care of everything, and if it didn't, make sure 21e2fb0b2aSDag-Erling Smørgrav to update FREEBSD-Xlist so you won't miss it the next time. A good 22e2fb0b2aSDag-Erling Smørgrav way to do this is to run a test import and see if any new files 23e2fb0b2aSDag-Erling Smørgrav show up: 24e2fb0b2aSDag-Erling Smørgrav 25e2fb0b2aSDag-Erling Smørgrav $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N 26ba11afccSDag-Erling Smørgrav 27ba11afccSDag-Erling Smørgrav4) Import the sources: 28ba11afccSDag-Erling Smørgrav 29b8110726SJun Kuriyama $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ 30ba11afccSDag-Erling Smørgrav 31ba11afccSDag-Erling Smørgrav5) Resolve conflicts. Remember to bump the version number and 32e2fb0b2aSDag-Erling Smørgrav addendum in version.h, and update the default value in 33e2fb0b2aSDag-Erling Smørgrav ssh{,d}_config and ssh{,d}_config.5. 34ba11afccSDag-Erling Smørgrav 35ba11afccSDag-Erling Smørgrav6) Generate configure and config.h.in: 36ba11afccSDag-Erling Smørgrav 37ba11afccSDag-Erling Smørgrav $ autoconf 38ba11afccSDag-Erling Smørgrav $ autoheader 39ba11afccSDag-Erling Smørgrav 40ba11afccSDag-Erling Smørgrav Note: this requires a recent version of autoconf, not autoconf213. 41ba11afccSDag-Erling Smørgrav 42ba11afccSDag-Erling Smørgrav7) Run configure with the appropriate arguments: 43ba11afccSDag-Erling Smørgrav 44ba11afccSDag-Erling Smørgrav $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 45e66498cdSDag-Erling Smørgrav --with-pam --with-tcp-wrappers --with-libedit \ 46e66498cdSDag-Erling Smørgrav --with-ssl-engine 47e66498cdSDag-Erling Smørgrav 48e66498cdSDag-Erling Smørgrav This will regenerate config.h, which must be committed along with 49e66498cdSDag-Erling Smørgrav the rest. 50ba11afccSDag-Erling Smørgrav 51ba11afccSDag-Erling Smørgrav Note that we don't want to configure OpenSSH for Kerberos using 52ba11afccSDag-Erling Smørgrav configure since we have to be able to turn it on or off depending 53e1fe3dbaSRuslan Ermilov on the value of MK_KERBEROS. Our Makefiles take care of this. 54ba11afccSDag-Erling Smørgrav 55e66498cdSDag-Erling Smørgrav8) If source files have been added or removed, update the appropriate 56e66498cdSDag-Erling Smørgrav makefiles to reflect changes in the vendor's Makefile.in. 57ba11afccSDag-Erling Smørgrav 58e66498cdSDag-Erling Smørgrav9) Build libssh. Follow the instructions in ssh_namespace.h to get a 59e66498cdSDag-Erling Smørgrav list of new symbols. Update ssh_namespace.h, build everything, 60e66498cdSDag-Erling Smørgrav install and test. 61ba11afccSDag-Erling Smørgrav 62e66498cdSDag-Erling SmørgravA) Build and test the pam_ssh PAM module. It gropes around libssh's 63e66498cdSDag-Erling Smørgrav internals and will break if something significant changes or if 64e66498cdSDag-Erling Smørgrav ssh_namespace.h is out of whack. 65e66498cdSDag-Erling Smørgrav 66e66498cdSDag-Erling SmørgravB) Re-commit everything on repoman (you *did* use a test repo for 67ba11afccSDag-Erling Smørgrav this, didn't you?) 68ba11afccSDag-Erling Smørgrav 69ba11afccSDag-Erling Smørgrav 70ba11afccSDag-Erling Smørgrav 71ba11afccSDag-Erling Smørgrav An overview of FreeBSD changes to OpenSSH-portable 72ba11afccSDag-Erling Smørgrav ================================================== 73ba11afccSDag-Erling Smørgrav 74ba11afccSDag-Erling Smørgrav0) VersionAddendum 75ba11afccSDag-Erling Smørgrav 76ba11afccSDag-Erling Smørgrav The SSH protocol allows for a human-readable version string of up 77ba11afccSDag-Erling Smørgrav to 40 characters to be appended to the protocol version string. 78ba11afccSDag-Erling Smørgrav FreeBSD takes advantage of this to include a date indicating the 79ba11afccSDag-Erling Smørgrav "patch level", so people can easily determine whether their system 80ba11afccSDag-Erling Smørgrav is vulnerable when an OpenSSH advisory goes out. Some people, 81ba11afccSDag-Erling Smørgrav however, dislike advertising their patch level in the protocol 82ba11afccSDag-Erling Smørgrav handshake, so we've added a VersionAddendum configuration variable 83ba11afccSDag-Erling Smørgrav to allow them to change or disable it. 84ba11afccSDag-Erling Smørgrav 85ba11afccSDag-Erling Smørgrav1) Modified server-side defaults 86ba11afccSDag-Erling Smørgrav 87ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in sshd: 88ba11afccSDag-Erling Smørgrav 893ee07a3aSDag-Erling Smørgrav - Protocol defaults to "2". 903ee07a3aSDag-Erling Smørgrav 913ee07a3aSDag-Erling Smørgrav - PasswordAuthentication defaults to "no" when PAM is enabled. 923ee07a3aSDag-Erling Smørgrav 93ba11afccSDag-Erling Smørgrav - For protocol version 2, we don't load RSA host keys by 94ba11afccSDag-Erling Smørgrav default. If both RSA and DSA keys are present, we prefer DSA 95ba11afccSDag-Erling Smørgrav to RSA. 96ba11afccSDag-Erling Smørgrav 97ba11afccSDag-Erling Smørgrav - LoginGraceTime defaults to 120 seconds instead of 600. 98ba11afccSDag-Erling Smørgrav 99ba11afccSDag-Erling Smørgrav - PermitRootLogin defaults to "no". 100ba11afccSDag-Erling Smørgrav 101ba11afccSDag-Erling Smørgrav - X11Forwarding defaults to "yes" (it's a threat to the client, 102ba11afccSDag-Erling Smørgrav not to the server.) 103ba11afccSDag-Erling Smørgrav 104ba11afccSDag-Erling Smørgrav2) Modified client-side defaults 105ba11afccSDag-Erling Smørgrav 106ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in ssh: 107ba11afccSDag-Erling Smørgrav 108ba11afccSDag-Erling Smørgrav - For protocol version 2, if both RSA and DSA keys are present, 109ba11afccSDag-Erling Smørgrav we prefer DSA to RSA. 110ba11afccSDag-Erling Smørgrav 111ba11afccSDag-Erling Smørgrav - CheckHostIP defaults to "no". 112ba11afccSDag-Erling Smørgrav 113ba11afccSDag-Erling Smørgrav3) Canonic host names 114ba11afccSDag-Erling Smørgrav 115ba11afccSDag-Erling Smørgrav We've added code to ssh.c to canonicize the target host name after 116ba11afccSDag-Erling Smørgrav reading options but before trying to connect. This eliminates the 117ba11afccSDag-Erling Smørgrav usual problem with duplicate known_hosts entries. 118ba11afccSDag-Erling Smørgrav 119ba11afccSDag-Erling Smørgrav4) OPIE 120ba11afccSDag-Erling Smørgrav 121ba11afccSDag-Erling Smørgrav We've added support for using OPIE as a drop-in replacement for 122ba11afccSDag-Erling Smørgrav S/Key. 123ba11afccSDag-Erling Smørgrav 124c880b043SDag-Erling Smørgrav5) setusercontext() environment 125ba11afccSDag-Erling Smørgrav 126ba11afccSDag-Erling Smørgrav Our setusercontext(3) can set environment variables, which we must 127ba11afccSDag-Erling Smørgrav take care to transfer to the child's environment. 128ba11afccSDag-Erling Smørgrav 129ba11afccSDag-Erling Smørgrav 130ba11afccSDag-Erling Smørgrav 131ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI 132ba11afccSDag-Erling SmørgravLabs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 133ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker. 134ba11afccSDag-Erling Smørgrav 135ba11afccSDag-Erling Smørgrav -- des@FreeBSD.org 136ba11afccSDag-Erling Smørgrav 137ba11afccSDag-Erling Smørgrav$FreeBSD$ 138