xref: /freebsd/crypto/openssh/FREEBSD-upgrade (revision c3c6c935fca17c15194dafc56ee3bf4ef9ecd35e)
1ba11afccSDag-Erling Smørgrav	    FreeBSD maintainer's guide to OpenSSH-portable
2ba11afccSDag-Erling Smørgrav	    ==============================================
3ba11afccSDag-Erling Smørgrav
4cf783db1SDag-Erling Smørgrav00) Make sure your mail spool has plenty of free space.  It'll fill up
5ba11afccSDag-Erling Smørgrav    pretty fast once you're done with this checklist.
6ba11afccSDag-Erling Smørgrav
7cf783db1SDag-Erling Smørgrav01) Download the latest OpenSSH-portable tarball and signature from
8cf783db1SDag-Erling Smørgrav    OpenBSD (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/).
9ba11afccSDag-Erling Smørgrav
10cf783db1SDag-Erling Smørgrav02) Verify the signature:
11ba11afccSDag-Erling Smørgrav
12cf783db1SDag-Erling Smørgrav    $ gpg --verify openssh-X.YpZ.tar.gz.asc
131c71974bSDag-Erling Smørgrav
14cf783db1SDag-Erling Smørgrav03) Unpack the tarball in a suitable directory:
15ba11afccSDag-Erling Smørgrav
16cf783db1SDag-Erling Smørgrav    $ tar xf openssh-X.YpZ.tar.gz
17e2fb0b2aSDag-Erling Smørgrav
18cf783db1SDag-Erling Smørgrav04) Copy to the vendor directory:
19ba11afccSDag-Erling Smørgrav
20cf783db1SDag-Erling Smørgrav    $ svn co svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist
21cf783db1SDag-Erling Smørgrav    $ rsync --archive --delete openssh-X.YpZ/ dist/
22ba11afccSDag-Erling Smørgrav
23cf783db1SDag-Erling Smørgrav05) Take care of added / deleted files:
24ba11afccSDag-Erling Smørgrav
25cf783db1SDag-Erling Smørgrav    $ svn rm $(svn stat dist | awk '$1 == "!" { print $2 }')
26cf783db1SDag-Erling Smørgrav    $ svn add --no-auto-props $(svn stat dist | awk '$1 == "?" { print $2 }')
27ba11afccSDag-Erling Smørgrav
28cf783db1SDag-Erling Smørgrav06) Commit:
29ba11afccSDag-Erling Smørgrav
30cf783db1SDag-Erling Smørgrav    $ svn commit -m "Vendor import of OpenSSH X.YpZ." dist
31ba11afccSDag-Erling Smørgrav
32cf783db1SDag-Erling Smørgrav07) Tag:
33ba11afccSDag-Erling Smørgrav
34cf783db1SDag-Erling Smørgrav    $ svn copy -m "Tag OpenSSH X.YpZ." \
35cf783db1SDag-Erling Smørgrav	svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist \
36cf783db1SDag-Erling Smørgrav	svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/X.YpZ
37ba11afccSDag-Erling Smørgrav
380591b689SDag-Erling Smørgrav08) Check out head and run the pre-merge script, which strips our RCS
390591b689SDag-Erling Smørgrav    tags from files that have them:
40e66498cdSDag-Erling Smørgrav
41cf783db1SDag-Erling Smørgrav    $ svn co svn+ssh://svn.freebsd.org/base/head
42cf783db1SDag-Erling Smørgrav    $ cd head/crypto/openssh
43cf783db1SDag-Erling Smørgrav    $ sh freebsd-pre-merge.sh
44ba11afccSDag-Erling Smørgrav
45cf783db1SDag-Erling Smørgrav09) Merge from the vendor branch:
46ba11afccSDag-Erling Smørgrav
47cf783db1SDag-Erling Smørgrav    $ svn merge -cNNNNNN \^/vendor-crypto/openssh/dist .
48cf783db1SDag-Erling Smørgrav
49cf783db1SDag-Erling Smørgrav0A) Resolve conflicts.  Remember to bump the version addendum in
50cf783db1SDag-Erling Smørgrav    version.h, and update the default value in ssh{,d}_config and
51cf783db1SDag-Erling Smørgrav    ssh{,d}_config.5.
52cf783db1SDag-Erling Smørgrav
53cf783db1SDag-Erling Smørgrav0B) Diff against the vendor branch:
54cf783db1SDag-Erling Smørgrav
550591b689SDag-Erling Smørgrav    $ svn diff --no-diff-deleted --no-diff-added \
560591b689SDag-Erling Smørgrav	--ignore-properties \^/vendor-crypto/openssh/X.YpZ .
57cf783db1SDag-Erling Smørgrav
58cf783db1SDag-Erling Smørgrav    Files that have modifications relative to the vendor code, and
59cf783db1SDag-Erling Smørgrav    only those files, must have the svn:keywords property set to
60cf783db1SDag-Erling Smørgrav    FreeBSD=%H and be listed in the 'keywords' file created by the
61cf783db1SDag-Erling Smørgrav    pre-merge script.
62cf783db1SDag-Erling Smørgrav
630591b689SDag-Erling Smørgrav0C) Run the post-merge script, which re-adds RCS tags to files that
640591b689SDag-Erling Smørgrav    need them:
65cf783db1SDag-Erling Smørgrav
66cf783db1SDag-Erling Smørgrav    $ sh freebsd-post-merge.sh
67cf783db1SDag-Erling Smørgrav
68cf783db1SDag-Erling Smørgrav0D) Run the configure script:
69cf783db1SDag-Erling Smørgrav
70cf783db1SDag-Erling Smørgrav    $ sh freebsd-configure.sh
71cf783db1SDag-Erling Smørgrav
720591b689SDag-Erling Smørgrav0E) Review changes to config.h very carefully.
73cf783db1SDag-Erling Smørgrav
74cf783db1SDag-Erling Smørgrav0F) If source files have been added or removed, update the appropriate
75e66498cdSDag-Erling Smørgrav    makefiles to reflect changes in the vendor's Makefile.in.
76ba11afccSDag-Erling Smørgrav
77cf783db1SDag-Erling Smørgrav10) Build libssh:
78ba11afccSDag-Erling Smørgrav
79cf783db1SDag-Erling Smørgrav    $ cd ../../secure/lib/libssh && make obj && make depend && make
80e66498cdSDag-Erling Smørgrav
81cf783db1SDag-Erling Smørgrav11) Follow the instructions in ssh_namespace.h to get a list of new
82cf783db1SDag-Erling Smørgrav    symbols, and them to ssh_namespace.h.  Keep it sorted!
83cf783db1SDag-Erling Smørgrav
84cf783db1SDag-Erling Smørgrav12) Build and install world, reboot, test.  Pay particular attention
85cf783db1SDag-Erling Smørgrav    to pam_ssh(8), which gropes inside libssh and will break if
86cf783db1SDag-Erling Smørgrav    something significant changes or if ssh_namespace.h is out of
87cf783db1SDag-Erling Smørgrav    whack.
88cf783db1SDag-Erling Smørgrav
89cf783db1SDag-Erling Smørgrav13) Commit, and hunker down for the inevitable storm of complaints.
90ba11afccSDag-Erling Smørgrav
91ba11afccSDag-Erling Smørgrav
92ba11afccSDag-Erling Smørgrav
93ba11afccSDag-Erling Smørgrav	  An overview of FreeBSD changes to OpenSSH-portable
94ba11afccSDag-Erling Smørgrav	  ==================================================
95ba11afccSDag-Erling Smørgrav
96ba11afccSDag-Erling Smørgrav0) VersionAddendum
97ba11afccSDag-Erling Smørgrav
98ba11afccSDag-Erling Smørgrav   The SSH protocol allows for a human-readable version string of up
99ba11afccSDag-Erling Smørgrav   to 40 characters to be appended to the protocol version string.
100ba11afccSDag-Erling Smørgrav   FreeBSD takes advantage of this to include a date indicating the
101ba11afccSDag-Erling Smørgrav   "patch level", so people can easily determine whether their system
102ba11afccSDag-Erling Smørgrav   is vulnerable when an OpenSSH advisory goes out.  Some people,
103ba11afccSDag-Erling Smørgrav   however, dislike advertising their patch level in the protocol
104ba11afccSDag-Erling Smørgrav   handshake, so we've added a VersionAddendum configuration variable
1050591b689SDag-Erling Smørgrav   to allow them to change or disable it.  Upstream added support for
1060591b689SDag-Erling Smørgrav   VersionAddendum on the server side, but we also support it on the
1070591b689SDag-Erling Smørgrav   client side.
108ba11afccSDag-Erling Smørgrav
109ba11afccSDag-Erling Smørgrav1) Modified server-side defaults
110ba11afccSDag-Erling Smørgrav
111ba11afccSDag-Erling Smørgrav   We've modified some configuration defaults in sshd:
112ba11afccSDag-Erling Smørgrav
1130591b689SDag-Erling Smørgrav      - UsePAM defaults to "yes".
114ba11afccSDag-Erling Smørgrav      - PermitRootLogin defaults to "no".
1150591b689SDag-Erling Smørgrav      - X11Forwarding defaults to "yes".
1160591b689SDag-Erling Smørgrav      - PasswordAuthentication defaults to "no".
1170591b689SDag-Erling Smørgrav      - VersionAddendum defaults to "FreeBSD-YYYYMMDD".
1180591b689SDag-Erling Smørgrav      - PrivilegeSeparation defaults to "sandbox".
119c4cd1fa4SDag-Erling Smørgrav      - UseDNS defaults to "yes".
120ba11afccSDag-Erling Smørgrav
121ba11afccSDag-Erling Smørgrav2) Modified client-side defaults
122ba11afccSDag-Erling Smørgrav
123ba11afccSDag-Erling Smørgrav   We've modified some configuration defaults in ssh:
124ba11afccSDag-Erling Smørgrav
125ba11afccSDag-Erling Smørgrav      - CheckHostIP defaults to "no".
1260591b689SDag-Erling Smørgrav      - VerifyHostKeyDNS defaults to "yes" if built with LDNS.
1270591b689SDag-Erling Smørgrav      - VersionAddendum defaults to "FreeBSD-YYYYMMDD".
128ba11afccSDag-Erling Smørgrav
129ba11afccSDag-Erling Smørgrav3) Canonic host names
130ba11afccSDag-Erling Smørgrav
131ba11afccSDag-Erling Smørgrav   We've added code to ssh.c to canonicize the target host name after
132ba11afccSDag-Erling Smørgrav   reading options but before trying to connect.  This eliminates the
133ba11afccSDag-Erling Smørgrav   usual problem with duplicate known_hosts entries.
134ba11afccSDag-Erling Smørgrav
135cb7b8027SDag-Erling Smørgrav4) setusercontext() environment
136ba11afccSDag-Erling Smørgrav
137ba11afccSDag-Erling Smørgrav   Our setusercontext(3) can set environment variables, which we must
138ba11afccSDag-Erling Smørgrav   take care to transfer to the child's environment.
139ba11afccSDag-Erling Smørgrav
1400591b689SDag-Erling Smørgrav5) TCP wrappers
1410591b689SDag-Erling Smørgrav
1420591b689SDag-Erling Smørgrav   Support for TCP wrappers was removed in upstream 6.7p1.  We've
1430591b689SDag-Erling Smørgrav   added it back by porting the 6.6p1 code forward.
1440591b689SDag-Erling Smørgrav
1450591b689SDag-Erling Smørgrav6) DSA keys
1460591b689SDag-Erling Smørgrav
1470591b689SDag-Erling Smørgrav   DSA keys were disabled by default in upstream 6.9p1.  We've added
1480591b689SDag-Erling Smørgrav   them back.
1490591b689SDag-Erling Smørgrav
1500591b689SDag-Erling Smørgrav7) Agent client reference counting
1510591b689SDag-Erling Smørgrav
1520591b689SDag-Erling Smørgrav   We've added code to ssh-agent.c to implement client reference
1530591b689SDag-Erling Smørgrav   counting; the agent will automatically exit when the last client
1540591b689SDag-Erling Smørgrav   disconnects.
1550591b689SDag-Erling Smørgrav
1560591b689SDag-Erling Smørgrav8) Class-based login restrictions
1570591b689SDag-Erling Smørgrav
1580591b689SDag-Erling Smørgrav   We've added code to auth2.c to enforce the host.allow, host.deny,
1590591b689SDag-Erling Smørgrav   times.allow and times.deny login class capabilities.
1600591b689SDag-Erling Smørgrav
1610591b689SDag-Erling Smørgrav9) HPN
1620591b689SDag-Erling Smørgrav
1630591b689SDag-Erling Smørgrav   We no longer have the HPN patches (adaptive buffer size for
1640591b689SDag-Erling Smørgrav   increased throughput on high-BxD links), but we recognize and
1650591b689SDag-Erling Smørgrav   ignore HPN-related configuration options to avoid breaking existing
1660591b689SDag-Erling Smørgrav   configurations.
1670591b689SDag-Erling Smørgrav
168*c3c6c935SDag-Erling SmørgravA) AES-CBC
169*c3c6c935SDag-Erling Smørgrav
170*c3c6c935SDag-Erling Smørgrav   The AES-CBC ciphers were removed from the server-side proposal list
171*c3c6c935SDag-Erling Smørgrav   in 6.7p1 due to theoretical weaknesses and the availability of
172*c3c6c935SDag-Erling Smørgrav   superior ciphers (including AES-CTR and AES-GCM).  We have re-added
173*c3c6c935SDag-Erling Smørgrav   them for compatibility with third-party clients.
174*c3c6c935SDag-Erling Smørgrav
175ba11afccSDag-Erling Smørgrav
176ba11afccSDag-Erling Smørgrav
177ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI
1780085282bSDag-Erling SmørgravLabs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
179ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker.
180ba11afccSDag-Erling Smørgrav
181ba11afccSDag-Erling Smørgrav					-- des@FreeBSD.org
182ba11afccSDag-Erling Smørgrav
183ba11afccSDag-Erling Smørgrav$FreeBSD$
184