1ba11afccSDag-Erling Smørgrav FreeBSD maintainer's guide to OpenSSH-portable 2ba11afccSDag-Erling Smørgrav ============================================== 3ba11afccSDag-Erling Smørgrav 4cf783db1SDag-Erling Smørgrav00) Make sure your mail spool has plenty of free space. It'll fill up 5ba11afccSDag-Erling Smørgrav pretty fast once you're done with this checklist. 6ba11afccSDag-Erling Smørgrav 7cf783db1SDag-Erling Smørgrav01) Download the latest OpenSSH-portable tarball and signature from 8cf783db1SDag-Erling Smørgrav OpenBSD (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/). 9ba11afccSDag-Erling Smørgrav 10cf783db1SDag-Erling Smørgrav02) Verify the signature: 11ba11afccSDag-Erling Smørgrav 12cf783db1SDag-Erling Smørgrav $ gpg --verify openssh-X.YpZ.tar.gz.asc 131c71974bSDag-Erling Smørgrav 14cf783db1SDag-Erling Smørgrav03) Unpack the tarball in a suitable directory: 15ba11afccSDag-Erling Smørgrav 16cf783db1SDag-Erling Smørgrav $ tar xf openssh-X.YpZ.tar.gz 17e2fb0b2aSDag-Erling Smørgrav 18cf783db1SDag-Erling Smørgrav04) Copy to the vendor directory: 19ba11afccSDag-Erling Smørgrav 20b23ddc58SDag-Erling Smørgrav $ svn co svn+ssh://repo.freebsd.org/base/vendor-crypto/openssh/dist 21cf783db1SDag-Erling Smørgrav $ rsync --archive --delete openssh-X.YpZ/ dist/ 22ba11afccSDag-Erling Smørgrav 23cf783db1SDag-Erling Smørgrav05) Take care of added / deleted files: 24ba11afccSDag-Erling Smørgrav 25cf783db1SDag-Erling Smørgrav $ svn rm $(svn stat dist | awk '$1 == "!" { print $2 }') 26cf783db1SDag-Erling Smørgrav $ svn add --no-auto-props $(svn stat dist | awk '$1 == "?" { print $2 }') 27ba11afccSDag-Erling Smørgrav 28cf783db1SDag-Erling Smørgrav06) Commit: 29ba11afccSDag-Erling Smørgrav 30cf783db1SDag-Erling Smørgrav $ svn commit -m "Vendor import of OpenSSH X.YpZ." dist 31ba11afccSDag-Erling Smørgrav 32cf783db1SDag-Erling Smørgrav07) Tag: 33ba11afccSDag-Erling Smørgrav 34cf783db1SDag-Erling Smørgrav $ svn copy -m "Tag OpenSSH X.YpZ." \ 35b23ddc58SDag-Erling Smørgrav svn+ssh://repo.freebsd.org/base/vendor-crypto/openssh/dist \ 36b23ddc58SDag-Erling Smørgrav svn+ssh://repo.freebsd.org/base/vendor-crypto/openssh/X.YpZ 37ba11afccSDag-Erling Smørgrav 380591b689SDag-Erling Smørgrav08) Check out head and run the pre-merge script, which strips our RCS 390591b689SDag-Erling Smørgrav tags from files that have them: 40e66498cdSDag-Erling Smørgrav 41b23ddc58SDag-Erling Smørgrav $ svn co svn+ssh://repo.freebsd.org/base/head 42cf783db1SDag-Erling Smørgrav $ cd head/crypto/openssh 43cf783db1SDag-Erling Smørgrav $ sh freebsd-pre-merge.sh 44ba11afccSDag-Erling Smørgrav 45cf783db1SDag-Erling Smørgrav09) Merge from the vendor branch: 46ba11afccSDag-Erling Smørgrav 47cf783db1SDag-Erling Smørgrav $ svn merge -cNNNNNN \^/vendor-crypto/openssh/dist . 48cf783db1SDag-Erling Smørgrav 49cf783db1SDag-Erling Smørgrav0A) Resolve conflicts. Remember to bump the version addendum in 50cf783db1SDag-Erling Smørgrav version.h, and update the default value in ssh{,d}_config and 51cf783db1SDag-Erling Smørgrav ssh{,d}_config.5. 52cf783db1SDag-Erling Smørgrav 53cf783db1SDag-Erling Smørgrav0B) Diff against the vendor branch: 54cf783db1SDag-Erling Smørgrav 550591b689SDag-Erling Smørgrav $ svn diff --no-diff-deleted --no-diff-added \ 560591b689SDag-Erling Smørgrav --ignore-properties \^/vendor-crypto/openssh/X.YpZ . 57cf783db1SDag-Erling Smørgrav 58cf783db1SDag-Erling Smørgrav Files that have modifications relative to the vendor code, and 59cf783db1SDag-Erling Smørgrav only those files, must have the svn:keywords property set to 60cf783db1SDag-Erling Smørgrav FreeBSD=%H and be listed in the 'keywords' file created by the 61cf783db1SDag-Erling Smørgrav pre-merge script. 62cf783db1SDag-Erling Smørgrav 630591b689SDag-Erling Smørgrav0C) Run the post-merge script, which re-adds RCS tags to files that 640591b689SDag-Erling Smørgrav need them: 65cf783db1SDag-Erling Smørgrav 66cf783db1SDag-Erling Smørgrav $ sh freebsd-post-merge.sh 67cf783db1SDag-Erling Smørgrav 68cf783db1SDag-Erling Smørgrav0D) Run the configure script: 69cf783db1SDag-Erling Smørgrav 70cf783db1SDag-Erling Smørgrav $ sh freebsd-configure.sh 71cf783db1SDag-Erling Smørgrav 720591b689SDag-Erling Smørgrav0E) Review changes to config.h very carefully. 73cf783db1SDag-Erling Smørgrav 74cf783db1SDag-Erling Smørgrav0F) If source files have been added or removed, update the appropriate 75e66498cdSDag-Erling Smørgrav makefiles to reflect changes in the vendor's Makefile.in. 76ba11afccSDag-Erling Smørgrav 77*4f52dfbbSDag-Erling Smørgrav10) Update ssh_namespace.h: 78ba11afccSDag-Erling Smørgrav 79*4f52dfbbSDag-Erling Smørgrav $ sh freebsd-namespace.sh 80e66498cdSDag-Erling Smørgrav 81*4f52dfbbSDag-Erling Smørgrav11) Build and install world, reboot, test. Pay particular attention 82cf783db1SDag-Erling Smørgrav to pam_ssh(8), which gropes inside libssh and will break if 83cf783db1SDag-Erling Smørgrav something significant changes or if ssh_namespace.h is out of 84cf783db1SDag-Erling Smørgrav whack. 85cf783db1SDag-Erling Smørgrav 86*4f52dfbbSDag-Erling Smørgrav12) Commit, and hunker down for the inevitable storm of complaints. 87ba11afccSDag-Erling Smørgrav 88ba11afccSDag-Erling Smørgrav 89ba11afccSDag-Erling Smørgrav 90ba11afccSDag-Erling Smørgrav An overview of FreeBSD changes to OpenSSH-portable 91ba11afccSDag-Erling Smørgrav ================================================== 92ba11afccSDag-Erling Smørgrav 93ba11afccSDag-Erling Smørgrav0) VersionAddendum 94ba11afccSDag-Erling Smørgrav 95ba11afccSDag-Erling Smørgrav The SSH protocol allows for a human-readable version string of up 96ba11afccSDag-Erling Smørgrav to 40 characters to be appended to the protocol version string. 97ba11afccSDag-Erling Smørgrav FreeBSD takes advantage of this to include a date indicating the 98ba11afccSDag-Erling Smørgrav "patch level", so people can easily determine whether their system 99ba11afccSDag-Erling Smørgrav is vulnerable when an OpenSSH advisory goes out. Some people, 100ba11afccSDag-Erling Smørgrav however, dislike advertising their patch level in the protocol 101ba11afccSDag-Erling Smørgrav handshake, so we've added a VersionAddendum configuration variable 1020591b689SDag-Erling Smørgrav to allow them to change or disable it. Upstream added support for 1030591b689SDag-Erling Smørgrav VersionAddendum on the server side, but we also support it on the 1040591b689SDag-Erling Smørgrav client side. 105ba11afccSDag-Erling Smørgrav 106ba11afccSDag-Erling Smørgrav1) Modified server-side defaults 107ba11afccSDag-Erling Smørgrav 108ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in sshd: 109ba11afccSDag-Erling Smørgrav 1100591b689SDag-Erling Smørgrav - UsePAM defaults to "yes". 111ba11afccSDag-Erling Smørgrav - PermitRootLogin defaults to "no". 1120591b689SDag-Erling Smørgrav - X11Forwarding defaults to "yes". 1130591b689SDag-Erling Smørgrav - PasswordAuthentication defaults to "no". 1140591b689SDag-Erling Smørgrav - VersionAddendum defaults to "FreeBSD-YYYYMMDD". 1150591b689SDag-Erling Smørgrav - PrivilegeSeparation defaults to "sandbox". 116c4cd1fa4SDag-Erling Smørgrav - UseDNS defaults to "yes". 117ba11afccSDag-Erling Smørgrav 118ba11afccSDag-Erling Smørgrav2) Modified client-side defaults 119ba11afccSDag-Erling Smørgrav 120ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in ssh: 121ba11afccSDag-Erling Smørgrav 122ba11afccSDag-Erling Smørgrav - CheckHostIP defaults to "no". 1230591b689SDag-Erling Smørgrav - VerifyHostKeyDNS defaults to "yes" if built with LDNS. 1240591b689SDag-Erling Smørgrav - VersionAddendum defaults to "FreeBSD-YYYYMMDD". 125ba11afccSDag-Erling Smørgrav 126ba11afccSDag-Erling Smørgrav3) Canonic host names 127ba11afccSDag-Erling Smørgrav 128ba11afccSDag-Erling Smørgrav We've added code to ssh.c to canonicize the target host name after 129ba11afccSDag-Erling Smørgrav reading options but before trying to connect. This eliminates the 130ba11afccSDag-Erling Smørgrav usual problem with duplicate known_hosts entries. 131ba11afccSDag-Erling Smørgrav 132cb7b8027SDag-Erling Smørgrav4) setusercontext() environment 133ba11afccSDag-Erling Smørgrav 134ba11afccSDag-Erling Smørgrav Our setusercontext(3) can set environment variables, which we must 135ba11afccSDag-Erling Smørgrav take care to transfer to the child's environment. 136ba11afccSDag-Erling Smørgrav 1370591b689SDag-Erling Smørgrav5) TCP wrappers 1380591b689SDag-Erling Smørgrav 1390591b689SDag-Erling Smørgrav Support for TCP wrappers was removed in upstream 6.7p1. We've 1400591b689SDag-Erling Smørgrav added it back by porting the 6.6p1 code forward. 1410591b689SDag-Erling Smørgrav 1429ded3306SDag-Erling Smørgrav6) Agent client reference counting 1430591b689SDag-Erling Smørgrav 1440591b689SDag-Erling Smørgrav We've added code to ssh-agent.c to implement client reference 1450591b689SDag-Erling Smørgrav counting; the agent will automatically exit when the last client 1460591b689SDag-Erling Smørgrav disconnects. 1470591b689SDag-Erling Smørgrav 1489ded3306SDag-Erling Smørgrav7) Class-based login restrictions 1490591b689SDag-Erling Smørgrav 1500591b689SDag-Erling Smørgrav We've added code to auth2.c to enforce the host.allow, host.deny, 1510591b689SDag-Erling Smørgrav times.allow and times.deny login class capabilities. 1520591b689SDag-Erling Smørgrav 1539ded3306SDag-Erling Smørgrav8) HPN 1540591b689SDag-Erling Smørgrav 1550591b689SDag-Erling Smørgrav We no longer have the HPN patches (adaptive buffer size for 1560591b689SDag-Erling Smørgrav increased throughput on high-BxD links), but we recognize and 1570591b689SDag-Erling Smørgrav ignore HPN-related configuration options to avoid breaking existing 1580591b689SDag-Erling Smørgrav configurations. 1590591b689SDag-Erling Smørgrav 1609ded3306SDag-Erling Smørgrav9) AES-CBC 161c3c6c935SDag-Erling Smørgrav 162c3c6c935SDag-Erling Smørgrav The AES-CBC ciphers were removed from the server-side proposal list 163c3c6c935SDag-Erling Smørgrav in 6.7p1 due to theoretical weaknesses and the availability of 164c3c6c935SDag-Erling Smørgrav superior ciphers (including AES-CTR and AES-GCM). We have re-added 165c3c6c935SDag-Erling Smørgrav them for compatibility with third-party clients. 166c3c6c935SDag-Erling Smørgrav 167ba11afccSDag-Erling Smørgrav 168ba11afccSDag-Erling Smørgrav 169ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI 1700085282bSDag-Erling SmørgravLabs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co., 171ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker. 172ba11afccSDag-Erling Smørgrav 173ba11afccSDag-Erling Smørgrav -- des@FreeBSD.org 174ba11afccSDag-Erling Smørgrav 175ba11afccSDag-Erling Smørgrav$FreeBSD$ 176