1ba11afccSDag-Erling Smørgrav 2ba11afccSDag-Erling Smørgrav 3ba11afccSDag-Erling Smørgrav FreeBSD maintainer's guide to OpenSSH-portable 4ba11afccSDag-Erling Smørgrav ============================================== 5ba11afccSDag-Erling Smørgrav 6ba11afccSDag-Erling Smørgrav 7ba11afccSDag-Erling Smørgrav0) Make sure your mail spool has plenty of free space. It'll fill up 8ba11afccSDag-Erling Smørgrav pretty fast once you're done with this checklist. 9ba11afccSDag-Erling Smørgrav 10ba11afccSDag-Erling Smørgrav1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 11ba11afccSDag-Erling Smørgrav site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 12ba11afccSDag-Erling Smørgrav 13ba11afccSDag-Erling Smørgrav2) Unpack the tarball in a suitable directory. 14ba11afccSDag-Erling Smørgrav 15ba11afccSDag-Erling Smørgrav3) Remove trash: 16ba11afccSDag-Erling Smørgrav 17ba11afccSDag-Erling Smørgrav $ rm -rf $(cat FREEBSD-Xlist) 18ba11afccSDag-Erling Smørgrav 19ba11afccSDag-Erling Smørgrav Make sure that took care of everything, and if it didn't, make sure 20ba11afccSDag-Erling Smørgrav to update FREEBSD-Xlist so you won't miss it the next time. 21ba11afccSDag-Erling Smørgrav 22ba11afccSDag-Erling Smørgrav4) Import the sources: 23ba11afccSDag-Erling Smørgrav 24b8110726SJun Kuriyama $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ 25ba11afccSDag-Erling Smørgrav 26ba11afccSDag-Erling Smørgrav5) Resolve conflicts. Remember to bump the version number and 27ba11afccSDag-Erling Smørgrav addendum in version.h. 28ba11afccSDag-Erling Smørgrav 29ba11afccSDag-Erling Smørgrav6) Generate configure and config.h.in: 30ba11afccSDag-Erling Smørgrav 31ba11afccSDag-Erling Smørgrav $ autoconf 32ba11afccSDag-Erling Smørgrav $ autoheader 33ba11afccSDag-Erling Smørgrav 34ba11afccSDag-Erling Smørgrav Note: this requires a recent version of autoconf, not autoconf213. 35ba11afccSDag-Erling Smørgrav 36ba11afccSDag-Erling Smørgrav7) Run configure with the appropriate arguments: 37ba11afccSDag-Erling Smørgrav 38ba11afccSDag-Erling Smørgrav $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 3921f19a0cSDag-Erling Smørgrav --with-pam --with-tcp-wrappers 40ba11afccSDag-Erling Smørgrav 41ba11afccSDag-Erling Smørgrav Note that we don't want to configure OpenSSH for Kerberos using 42ba11afccSDag-Erling Smørgrav configure since we have to be able to turn it on or off depending 43ba11afccSDag-Erling Smørgrav on the value of MAKE_KERBEROS[45]. Our Makefiles take care of 44ba11afccSDag-Erling Smørgrav this. 45ba11afccSDag-Erling Smørgrav 46ba11afccSDag-Erling Smørgrav8) Commit the resulting config.h. Make sure you don't accidentally 47ba11afccSDag-Erling Smørgrav commit any other files created by autoconf, autoheader or 48ba11afccSDag-Erling Smørgrav configure; they'll just clutter up the repo and cause trouble at 49ba11afccSDag-Erling Smørgrav the next upgrade. 50ba11afccSDag-Erling Smørgrav 51ba11afccSDag-Erling Smørgrav9) Build and test. 52ba11afccSDag-Erling Smørgrav 53ba11afccSDag-Erling SmørgravA) Re-commit everything on freefall (you *did* use a test repo for 54ba11afccSDag-Erling Smørgrav this, didn't you?) 55ba11afccSDag-Erling Smørgrav 56ba11afccSDag-Erling Smørgrav 57ba11afccSDag-Erling Smørgrav 58ba11afccSDag-Erling Smørgrav An overview of FreeBSD changes to OpenSSH-portable 59ba11afccSDag-Erling Smørgrav ================================================== 60ba11afccSDag-Erling Smørgrav 61ba11afccSDag-Erling Smørgrav0) VersionAddendum 62ba11afccSDag-Erling Smørgrav 63ba11afccSDag-Erling Smørgrav The SSH protocol allows for a human-readable version string of up 64ba11afccSDag-Erling Smørgrav to 40 characters to be appended to the protocol version string. 65ba11afccSDag-Erling Smørgrav FreeBSD takes advantage of this to include a date indicating the 66ba11afccSDag-Erling Smørgrav "patch level", so people can easily determine whether their system 67ba11afccSDag-Erling Smørgrav is vulnerable when an OpenSSH advisory goes out. Some people, 68ba11afccSDag-Erling Smørgrav however, dislike advertising their patch level in the protocol 69ba11afccSDag-Erling Smørgrav handshake, so we've added a VersionAddendum configuration variable 70ba11afccSDag-Erling Smørgrav to allow them to change or disable it. 71ba11afccSDag-Erling Smørgrav 72ba11afccSDag-Erling Smørgrav1) Modified server-side defaults 73ba11afccSDag-Erling Smørgrav 74ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in sshd: 75ba11afccSDag-Erling Smørgrav 76ba11afccSDag-Erling Smørgrav - For protocol version 2, we don't load RSA host keys by 77ba11afccSDag-Erling Smørgrav default. If both RSA and DSA keys are present, we prefer DSA 78ba11afccSDag-Erling Smørgrav to RSA. 79ba11afccSDag-Erling Smørgrav 80ba11afccSDag-Erling Smørgrav - LoginGraceTime defaults to 120 seconds instead of 600. 81ba11afccSDag-Erling Smørgrav 82ba11afccSDag-Erling Smørgrav - PermitRootLogin defaults to "no". 83ba11afccSDag-Erling Smørgrav 84ba11afccSDag-Erling Smørgrav - X11Forwarding defaults to "yes" (it's a threat to the client, 85ba11afccSDag-Erling Smørgrav not to the server.) 86ba11afccSDag-Erling Smørgrav 87ba11afccSDag-Erling Smørgrav - Unless the config file says otherwise, we automatically enable 88ba11afccSDag-Erling Smørgrav Kerberos support if an appropriate keytab is present. 89ba11afccSDag-Erling Smørgrav 90ba11afccSDag-Erling Smørgrav - PAMAuthenticationViaKbdInt defaults to "yes". 91ba11afccSDag-Erling Smørgrav 92ba11afccSDag-Erling Smørgrav2) Modified client-side defaults 93ba11afccSDag-Erling Smørgrav 94ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in ssh: 95ba11afccSDag-Erling Smørgrav 96ba11afccSDag-Erling Smørgrav - For protocol version 2, if both RSA and DSA keys are present, 97ba11afccSDag-Erling Smørgrav we prefer DSA to RSA. 98ba11afccSDag-Erling Smørgrav 99ba11afccSDag-Erling Smørgrav - CheckHostIP defaults to "no". 100ba11afccSDag-Erling Smørgrav 101ba11afccSDag-Erling Smørgrav3) Canonic host names 102ba11afccSDag-Erling Smørgrav 103ba11afccSDag-Erling Smørgrav We've added code to ssh.c to canonicize the target host name after 104ba11afccSDag-Erling Smørgrav reading options but before trying to connect. This eliminates the 105ba11afccSDag-Erling Smørgrav usual problem with duplicate known_hosts entries. 106ba11afccSDag-Erling Smørgrav 107ba11afccSDag-Erling Smørgrav4) OPIE 108ba11afccSDag-Erling Smørgrav 109ba11afccSDag-Erling Smørgrav We've added support for using OPIE as a drop-in replacement for 110ba11afccSDag-Erling Smørgrav S/Key. 111ba11afccSDag-Erling Smørgrav 112ba11afccSDag-Erling Smørgrav5) PAM 113ba11afccSDag-Erling Smørgrav 114ba11afccSDag-Erling Smørgrav We use our own PAM code, which wraps PAM in a KbdintDevice and 115ba11afccSDag-Erling Smørgrav works with privsep, instead of OpenSSH's own PAM code. 116ba11afccSDag-Erling Smørgrav 117ba11afccSDag-Erling Smørgrav6) setusercontext() environment 118ba11afccSDag-Erling Smørgrav 119ba11afccSDag-Erling Smørgrav Our setusercontext(3) can set environment variables, which we must 120ba11afccSDag-Erling Smørgrav take care to transfer to the child's environment. 121ba11afccSDag-Erling Smørgrav 122ba11afccSDag-Erling Smørgrav 123ba11afccSDag-Erling Smørgrav 124ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI 125ba11afccSDag-Erling SmørgravLabs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 126ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker. 127ba11afccSDag-Erling Smørgrav 128ba11afccSDag-Erling Smørgrav -- des@FreeBSD.org 129ba11afccSDag-Erling Smørgrav 130ba11afccSDag-Erling Smørgrav$FreeBSD$ 131