1ba11afccSDag-Erling Smørgrav FreeBSD maintainer's guide to OpenSSH-portable 2ba11afccSDag-Erling Smørgrav ============================================== 3ba11afccSDag-Erling Smørgrav 4cf783db1SDag-Erling Smørgrav00) Make sure your mail spool has plenty of free space. It'll fill up 5ba11afccSDag-Erling Smørgrav pretty fast once you're done with this checklist. 6ba11afccSDag-Erling Smørgrav 7cf783db1SDag-Erling Smørgrav01) Download the latest OpenSSH-portable tarball and signature from 8cf783db1SDag-Erling Smørgrav OpenBSD (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/). 9ba11afccSDag-Erling Smørgrav 10cf783db1SDag-Erling Smørgrav02) Verify the signature: 11ba11afccSDag-Erling Smørgrav 12cf783db1SDag-Erling Smørgrav $ gpg --verify openssh-X.YpZ.tar.gz.asc 131c71974bSDag-Erling Smørgrav 14cf783db1SDag-Erling Smørgrav03) Unpack the tarball in a suitable directory: 15ba11afccSDag-Erling Smørgrav 16cf783db1SDag-Erling Smørgrav $ tar xf openssh-X.YpZ.tar.gz 17e2fb0b2aSDag-Erling Smørgrav 18cf783db1SDag-Erling Smørgrav04) Copy to the vendor directory: 19ba11afccSDag-Erling Smørgrav 20cf783db1SDag-Erling Smørgrav $ svn co svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist 21cf783db1SDag-Erling Smørgrav $ rsync --archive --delete openssh-X.YpZ/ dist/ 22ba11afccSDag-Erling Smørgrav 23cf783db1SDag-Erling Smørgrav05) Take care of added / deleted files: 24ba11afccSDag-Erling Smørgrav 25cf783db1SDag-Erling Smørgrav $ svn rm $(svn stat dist | awk '$1 == "!" { print $2 }') 26cf783db1SDag-Erling Smørgrav $ svn add --no-auto-props $(svn stat dist | awk '$1 == "?" { print $2 }') 27ba11afccSDag-Erling Smørgrav 28cf783db1SDag-Erling Smørgrav06) Commit: 29ba11afccSDag-Erling Smørgrav 30cf783db1SDag-Erling Smørgrav $ svn commit -m "Vendor import of OpenSSH X.YpZ." dist 31ba11afccSDag-Erling Smørgrav 32cf783db1SDag-Erling Smørgrav07) Tag: 33ba11afccSDag-Erling Smørgrav 34cf783db1SDag-Erling Smørgrav $ svn copy -m "Tag OpenSSH X.YpZ." \ 35cf783db1SDag-Erling Smørgrav svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist \ 36cf783db1SDag-Erling Smørgrav svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/X.YpZ 37ba11afccSDag-Erling Smørgrav 380591b689SDag-Erling Smørgrav08) Check out head and run the pre-merge script, which strips our RCS 390591b689SDag-Erling Smørgrav tags from files that have them: 40e66498cdSDag-Erling Smørgrav 41cf783db1SDag-Erling Smørgrav $ svn co svn+ssh://svn.freebsd.org/base/head 42cf783db1SDag-Erling Smørgrav $ cd head/crypto/openssh 43cf783db1SDag-Erling Smørgrav $ sh freebsd-pre-merge.sh 44ba11afccSDag-Erling Smørgrav 45cf783db1SDag-Erling Smørgrav09) Merge from the vendor branch: 46ba11afccSDag-Erling Smørgrav 47cf783db1SDag-Erling Smørgrav $ svn merge -cNNNNNN \^/vendor-crypto/openssh/dist . 48cf783db1SDag-Erling Smørgrav 49cf783db1SDag-Erling Smørgrav0A) Resolve conflicts. Remember to bump the version addendum in 50cf783db1SDag-Erling Smørgrav version.h, and update the default value in ssh{,d}_config and 51cf783db1SDag-Erling Smørgrav ssh{,d}_config.5. 52cf783db1SDag-Erling Smørgrav 53cf783db1SDag-Erling Smørgrav0B) Diff against the vendor branch: 54cf783db1SDag-Erling Smørgrav 550591b689SDag-Erling Smørgrav $ svn diff --no-diff-deleted --no-diff-added \ 560591b689SDag-Erling Smørgrav --ignore-properties \^/vendor-crypto/openssh/X.YpZ . 57cf783db1SDag-Erling Smørgrav 58cf783db1SDag-Erling Smørgrav Files that have modifications relative to the vendor code, and 59cf783db1SDag-Erling Smørgrav only those files, must have the svn:keywords property set to 60cf783db1SDag-Erling Smørgrav FreeBSD=%H and be listed in the 'keywords' file created by the 61cf783db1SDag-Erling Smørgrav pre-merge script. 62cf783db1SDag-Erling Smørgrav 630591b689SDag-Erling Smørgrav0C) Run the post-merge script, which re-adds RCS tags to files that 640591b689SDag-Erling Smørgrav need them: 65cf783db1SDag-Erling Smørgrav 66cf783db1SDag-Erling Smørgrav $ sh freebsd-post-merge.sh 67cf783db1SDag-Erling Smørgrav 68cf783db1SDag-Erling Smørgrav0D) Run the configure script: 69cf783db1SDag-Erling Smørgrav 70cf783db1SDag-Erling Smørgrav $ sh freebsd-configure.sh 71cf783db1SDag-Erling Smørgrav 720591b689SDag-Erling Smørgrav0E) Review changes to config.h very carefully. 73cf783db1SDag-Erling Smørgrav 74cf783db1SDag-Erling Smørgrav0F) If source files have been added or removed, update the appropriate 75e66498cdSDag-Erling Smørgrav makefiles to reflect changes in the vendor's Makefile.in. 76ba11afccSDag-Erling Smørgrav 77cf783db1SDag-Erling Smørgrav10) Build libssh: 78ba11afccSDag-Erling Smørgrav 79cf783db1SDag-Erling Smørgrav $ cd ../../secure/lib/libssh && make obj && make depend && make 80e66498cdSDag-Erling Smørgrav 81cf783db1SDag-Erling Smørgrav11) Follow the instructions in ssh_namespace.h to get a list of new 82cf783db1SDag-Erling Smørgrav symbols, and them to ssh_namespace.h. Keep it sorted! 83cf783db1SDag-Erling Smørgrav 84cf783db1SDag-Erling Smørgrav12) Build and install world, reboot, test. Pay particular attention 85cf783db1SDag-Erling Smørgrav to pam_ssh(8), which gropes inside libssh and will break if 86cf783db1SDag-Erling Smørgrav something significant changes or if ssh_namespace.h is out of 87cf783db1SDag-Erling Smørgrav whack. 88cf783db1SDag-Erling Smørgrav 89cf783db1SDag-Erling Smørgrav13) Commit, and hunker down for the inevitable storm of complaints. 90ba11afccSDag-Erling Smørgrav 91ba11afccSDag-Erling Smørgrav 92ba11afccSDag-Erling Smørgrav 93ba11afccSDag-Erling Smørgrav An overview of FreeBSD changes to OpenSSH-portable 94ba11afccSDag-Erling Smørgrav ================================================== 95ba11afccSDag-Erling Smørgrav 96ba11afccSDag-Erling Smørgrav0) VersionAddendum 97ba11afccSDag-Erling Smørgrav 98ba11afccSDag-Erling Smørgrav The SSH protocol allows for a human-readable version string of up 99ba11afccSDag-Erling Smørgrav to 40 characters to be appended to the protocol version string. 100ba11afccSDag-Erling Smørgrav FreeBSD takes advantage of this to include a date indicating the 101ba11afccSDag-Erling Smørgrav "patch level", so people can easily determine whether their system 102ba11afccSDag-Erling Smørgrav is vulnerable when an OpenSSH advisory goes out. Some people, 103ba11afccSDag-Erling Smørgrav however, dislike advertising their patch level in the protocol 104ba11afccSDag-Erling Smørgrav handshake, so we've added a VersionAddendum configuration variable 1050591b689SDag-Erling Smørgrav to allow them to change or disable it. Upstream added support for 1060591b689SDag-Erling Smørgrav VersionAddendum on the server side, but we also support it on the 1070591b689SDag-Erling Smørgrav client side. 108ba11afccSDag-Erling Smørgrav 109ba11afccSDag-Erling Smørgrav1) Modified server-side defaults 110ba11afccSDag-Erling Smørgrav 111ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in sshd: 112ba11afccSDag-Erling Smørgrav 1130591b689SDag-Erling Smørgrav - UsePAM defaults to "yes". 114ba11afccSDag-Erling Smørgrav - PermitRootLogin defaults to "no". 1150591b689SDag-Erling Smørgrav - X11Forwarding defaults to "yes". 1160591b689SDag-Erling Smørgrav - PasswordAuthentication defaults to "no". 1170591b689SDag-Erling Smørgrav - VersionAddendum defaults to "FreeBSD-YYYYMMDD". 1180591b689SDag-Erling Smørgrav - PrivilegeSeparation defaults to "sandbox". 119c4cd1fa4SDag-Erling Smørgrav - UseDNS defaults to "yes". 120ba11afccSDag-Erling Smørgrav 121ba11afccSDag-Erling Smørgrav2) Modified client-side defaults 122ba11afccSDag-Erling Smørgrav 123ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in ssh: 124ba11afccSDag-Erling Smørgrav 125ba11afccSDag-Erling Smørgrav - CheckHostIP defaults to "no". 1260591b689SDag-Erling Smørgrav - VerifyHostKeyDNS defaults to "yes" if built with LDNS. 1270591b689SDag-Erling Smørgrav - VersionAddendum defaults to "FreeBSD-YYYYMMDD". 128ba11afccSDag-Erling Smørgrav 129ba11afccSDag-Erling Smørgrav3) Canonic host names 130ba11afccSDag-Erling Smørgrav 131ba11afccSDag-Erling Smørgrav We've added code to ssh.c to canonicize the target host name after 132ba11afccSDag-Erling Smørgrav reading options but before trying to connect. This eliminates the 133ba11afccSDag-Erling Smørgrav usual problem with duplicate known_hosts entries. 134ba11afccSDag-Erling Smørgrav 135cb7b8027SDag-Erling Smørgrav4) setusercontext() environment 136ba11afccSDag-Erling Smørgrav 137ba11afccSDag-Erling Smørgrav Our setusercontext(3) can set environment variables, which we must 138ba11afccSDag-Erling Smørgrav take care to transfer to the child's environment. 139ba11afccSDag-Erling Smørgrav 1400591b689SDag-Erling Smørgrav5) TCP wrappers 1410591b689SDag-Erling Smørgrav 1420591b689SDag-Erling Smørgrav Support for TCP wrappers was removed in upstream 6.7p1. We've 1430591b689SDag-Erling Smørgrav added it back by porting the 6.6p1 code forward. 1440591b689SDag-Erling Smørgrav 1450591b689SDag-Erling Smørgrav6) DSA keys 1460591b689SDag-Erling Smørgrav 1470591b689SDag-Erling Smørgrav DSA keys were disabled by default in upstream 6.9p1. We've added 1480591b689SDag-Erling Smørgrav them back. 1490591b689SDag-Erling Smørgrav 1500591b689SDag-Erling Smørgrav7) Agent client reference counting 1510591b689SDag-Erling Smørgrav 1520591b689SDag-Erling Smørgrav We've added code to ssh-agent.c to implement client reference 1530591b689SDag-Erling Smørgrav counting; the agent will automatically exit when the last client 1540591b689SDag-Erling Smørgrav disconnects. 1550591b689SDag-Erling Smørgrav 1560591b689SDag-Erling Smørgrav8) Class-based login restrictions 1570591b689SDag-Erling Smørgrav 1580591b689SDag-Erling Smørgrav We've added code to auth2.c to enforce the host.allow, host.deny, 1590591b689SDag-Erling Smørgrav times.allow and times.deny login class capabilities. 1600591b689SDag-Erling Smørgrav 1610591b689SDag-Erling Smørgrav9) HPN 1620591b689SDag-Erling Smørgrav 1630591b689SDag-Erling Smørgrav We no longer have the HPN patches (adaptive buffer size for 1640591b689SDag-Erling Smørgrav increased throughput on high-BxD links), but we recognize and 1650591b689SDag-Erling Smørgrav ignore HPN-related configuration options to avoid breaking existing 1660591b689SDag-Erling Smørgrav configurations. 1670591b689SDag-Erling Smørgrav 168*c3c6c935SDag-Erling SmørgravA) AES-CBC 169*c3c6c935SDag-Erling Smørgrav 170*c3c6c935SDag-Erling Smørgrav The AES-CBC ciphers were removed from the server-side proposal list 171*c3c6c935SDag-Erling Smørgrav in 6.7p1 due to theoretical weaknesses and the availability of 172*c3c6c935SDag-Erling Smørgrav superior ciphers (including AES-CTR and AES-GCM). We have re-added 173*c3c6c935SDag-Erling Smørgrav them for compatibility with third-party clients. 174*c3c6c935SDag-Erling Smørgrav 175ba11afccSDag-Erling Smørgrav 176ba11afccSDag-Erling Smørgrav 177ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI 1780085282bSDag-Erling SmørgravLabs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co., 179ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker. 180ba11afccSDag-Erling Smørgrav 181ba11afccSDag-Erling Smørgrav -- des@FreeBSD.org 182ba11afccSDag-Erling Smørgrav 183ba11afccSDag-Erling Smørgrav$FreeBSD$ 184