1ba11afccSDag-Erling Smørgrav 2ba11afccSDag-Erling Smørgrav FreeBSD maintainer's guide to OpenSSH-portable 3ba11afccSDag-Erling Smørgrav ============================================== 4ba11afccSDag-Erling Smørgrav 5cf783db1SDag-Erling Smørgrav00) Make sure your mail spool has plenty of free space. It'll fill up 6ba11afccSDag-Erling Smørgrav pretty fast once you're done with this checklist. 7ba11afccSDag-Erling Smørgrav 8cf783db1SDag-Erling Smørgrav01) Download the latest OpenSSH-portable tarball and signature from 9cf783db1SDag-Erling Smørgrav OpenBSD (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/). 10ba11afccSDag-Erling Smørgrav 11cf783db1SDag-Erling Smørgrav02) Verify the signature: 12ba11afccSDag-Erling Smørgrav 13cf783db1SDag-Erling Smørgrav $ gpg --verify openssh-X.YpZ.tar.gz.asc 141c71974bSDag-Erling Smørgrav 15cf783db1SDag-Erling Smørgrav03) Unpack the tarball in a suitable directory: 16ba11afccSDag-Erling Smørgrav 17cf783db1SDag-Erling Smørgrav $ tar xf openssh-X.YpZ.tar.gz 18e2fb0b2aSDag-Erling Smørgrav 19cf783db1SDag-Erling Smørgrav04) Copy to the vendor directory: 20ba11afccSDag-Erling Smørgrav 21cf783db1SDag-Erling Smørgrav $ svn co svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist 22cf783db1SDag-Erling Smørgrav $ rsync --archive --delete openssh-X.YpZ/ dist/ 23ba11afccSDag-Erling Smørgrav 24cf783db1SDag-Erling Smørgrav05) Take care of added / deleted files: 25ba11afccSDag-Erling Smørgrav 26cf783db1SDag-Erling Smørgrav $ svn rm $(svn stat dist | awk '$1 == "!" { print $2 }') 27cf783db1SDag-Erling Smørgrav $ svn add --no-auto-props $(svn stat dist | awk '$1 == "?" { print $2 }') 28ba11afccSDag-Erling Smørgrav 29cf783db1SDag-Erling Smørgrav06) Commit: 30ba11afccSDag-Erling Smørgrav 31cf783db1SDag-Erling Smørgrav $ svn commit -m "Vendor import of OpenSSH X.YpZ." dist 32ba11afccSDag-Erling Smørgrav 33cf783db1SDag-Erling Smørgrav07) Tag: 34ba11afccSDag-Erling Smørgrav 35cf783db1SDag-Erling Smørgrav $ svn copy -m "Tag OpenSSH X.YpZ." \ 36cf783db1SDag-Erling Smørgrav svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist \ 37cf783db1SDag-Erling Smørgrav svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/X.YpZ 38ba11afccSDag-Erling Smørgrav 390591b689SDag-Erling Smørgrav08) Check out head and run the pre-merge script, which strips our RCS 400591b689SDag-Erling Smørgrav tags from files that have them: 41e66498cdSDag-Erling Smørgrav 42cf783db1SDag-Erling Smørgrav $ svn co svn+ssh://svn.freebsd.org/base/head 43cf783db1SDag-Erling Smørgrav $ cd head/crypto/openssh 44cf783db1SDag-Erling Smørgrav $ sh freebsd-pre-merge.sh 45ba11afccSDag-Erling Smørgrav 46cf783db1SDag-Erling Smørgrav09) Merge from the vendor branch: 47ba11afccSDag-Erling Smørgrav 48cf783db1SDag-Erling Smørgrav $ svn merge -cNNNNNN \^/vendor-crypto/openssh/dist . 49cf783db1SDag-Erling Smørgrav 50cf783db1SDag-Erling Smørgrav0A) Resolve conflicts. Remember to bump the version addendum in 51cf783db1SDag-Erling Smørgrav version.h, and update the default value in ssh{,d}_config and 52cf783db1SDag-Erling Smørgrav ssh{,d}_config.5. 53cf783db1SDag-Erling Smørgrav 54cf783db1SDag-Erling Smørgrav0B) Diff against the vendor branch: 55cf783db1SDag-Erling Smørgrav 560591b689SDag-Erling Smørgrav $ svn diff --no-diff-deleted --no-diff-added \ 570591b689SDag-Erling Smørgrav --ignore-properties \^/vendor-crypto/openssh/X.YpZ . 58cf783db1SDag-Erling Smørgrav 59cf783db1SDag-Erling Smørgrav Files that have modifications relative to the vendor code, and 60cf783db1SDag-Erling Smørgrav only those files, must have the svn:keywords property set to 61cf783db1SDag-Erling Smørgrav FreeBSD=%H and be listed in the 'keywords' file created by the 62cf783db1SDag-Erling Smørgrav pre-merge script. 63cf783db1SDag-Erling Smørgrav 640591b689SDag-Erling Smørgrav0C) Run the post-merge script, which re-adds RCS tags to files that 650591b689SDag-Erling Smørgrav need them: 66cf783db1SDag-Erling Smørgrav 67cf783db1SDag-Erling Smørgrav $ sh freebsd-post-merge.sh 68cf783db1SDag-Erling Smørgrav 69cf783db1SDag-Erling Smørgrav0D) Run the configure script: 70cf783db1SDag-Erling Smørgrav 71cf783db1SDag-Erling Smørgrav $ sh freebsd-configure.sh 72cf783db1SDag-Erling Smørgrav 730591b689SDag-Erling Smørgrav0E) Review changes to config.h very carefully. 74cf783db1SDag-Erling Smørgrav 75cf783db1SDag-Erling Smørgrav0F) If source files have been added or removed, update the appropriate 76e66498cdSDag-Erling Smørgrav makefiles to reflect changes in the vendor's Makefile.in. 77ba11afccSDag-Erling Smørgrav 78cf783db1SDag-Erling Smørgrav10) Build libssh: 79ba11afccSDag-Erling Smørgrav 80cf783db1SDag-Erling Smørgrav $ cd ../../secure/lib/libssh && make obj && make depend && make 81e66498cdSDag-Erling Smørgrav 82cf783db1SDag-Erling Smørgrav11) Follow the instructions in ssh_namespace.h to get a list of new 83cf783db1SDag-Erling Smørgrav symbols, and them to ssh_namespace.h. Keep it sorted! 84cf783db1SDag-Erling Smørgrav 85cf783db1SDag-Erling Smørgrav12) Build and install world, reboot, test. Pay particular attention 86cf783db1SDag-Erling Smørgrav to pam_ssh(8), which gropes inside libssh and will break if 87cf783db1SDag-Erling Smørgrav something significant changes or if ssh_namespace.h is out of 88cf783db1SDag-Erling Smørgrav whack. 89cf783db1SDag-Erling Smørgrav 90cf783db1SDag-Erling Smørgrav13) Commit, and hunker down for the inevitable storm of complaints. 91ba11afccSDag-Erling Smørgrav 92ba11afccSDag-Erling Smørgrav 93ba11afccSDag-Erling Smørgrav 94ba11afccSDag-Erling Smørgrav An overview of FreeBSD changes to OpenSSH-portable 95ba11afccSDag-Erling Smørgrav ================================================== 96ba11afccSDag-Erling Smørgrav 97ba11afccSDag-Erling Smørgrav0) VersionAddendum 98ba11afccSDag-Erling Smørgrav 99ba11afccSDag-Erling Smørgrav The SSH protocol allows for a human-readable version string of up 100ba11afccSDag-Erling Smørgrav to 40 characters to be appended to the protocol version string. 101ba11afccSDag-Erling Smørgrav FreeBSD takes advantage of this to include a date indicating the 102ba11afccSDag-Erling Smørgrav "patch level", so people can easily determine whether their system 103ba11afccSDag-Erling Smørgrav is vulnerable when an OpenSSH advisory goes out. Some people, 104ba11afccSDag-Erling Smørgrav however, dislike advertising their patch level in the protocol 105ba11afccSDag-Erling Smørgrav handshake, so we've added a VersionAddendum configuration variable 1060591b689SDag-Erling Smørgrav to allow them to change or disable it. Upstream added support for 1070591b689SDag-Erling Smørgrav VersionAddendum on the server side, but we also support it on the 1080591b689SDag-Erling Smørgrav client side. 109ba11afccSDag-Erling Smørgrav 110ba11afccSDag-Erling Smørgrav1) Modified server-side defaults 111ba11afccSDag-Erling Smørgrav 112ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in sshd: 113ba11afccSDag-Erling Smørgrav 1140591b689SDag-Erling Smørgrav - UsePAM defaults to "yes". 115ba11afccSDag-Erling Smørgrav - PermitRootLogin defaults to "no". 1160591b689SDag-Erling Smørgrav - X11Forwarding defaults to "yes". 1170591b689SDag-Erling Smørgrav - PasswordAuthentication defaults to "no". 1180591b689SDag-Erling Smørgrav - VersionAddendum defaults to "FreeBSD-YYYYMMDD". 1190591b689SDag-Erling Smørgrav - PrivilegeSeparation defaults to "sandbox". 120*c4cd1fa4SDag-Erling Smørgrav - UseDNS defaults to "yes". 121ba11afccSDag-Erling Smørgrav 122ba11afccSDag-Erling Smørgrav2) Modified client-side defaults 123ba11afccSDag-Erling Smørgrav 124ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in ssh: 125ba11afccSDag-Erling Smørgrav 126ba11afccSDag-Erling Smørgrav - CheckHostIP defaults to "no". 1270591b689SDag-Erling Smørgrav - VerifyHostKeyDNS defaults to "yes" if built with LDNS. 1280591b689SDag-Erling Smørgrav - VersionAddendum defaults to "FreeBSD-YYYYMMDD". 129ba11afccSDag-Erling Smørgrav 130ba11afccSDag-Erling Smørgrav3) Canonic host names 131ba11afccSDag-Erling Smørgrav 132ba11afccSDag-Erling Smørgrav We've added code to ssh.c to canonicize the target host name after 133ba11afccSDag-Erling Smørgrav reading options but before trying to connect. This eliminates the 134ba11afccSDag-Erling Smørgrav usual problem with duplicate known_hosts entries. 135ba11afccSDag-Erling Smørgrav 136cb7b8027SDag-Erling Smørgrav4) setusercontext() environment 137ba11afccSDag-Erling Smørgrav 138ba11afccSDag-Erling Smørgrav Our setusercontext(3) can set environment variables, which we must 139ba11afccSDag-Erling Smørgrav take care to transfer to the child's environment. 140ba11afccSDag-Erling Smørgrav 1410591b689SDag-Erling Smørgrav5) TCP wrappers 1420591b689SDag-Erling Smørgrav 1430591b689SDag-Erling Smørgrav Support for TCP wrappers was removed in upstream 6.7p1. We've 1440591b689SDag-Erling Smørgrav added it back by porting the 6.6p1 code forward. 1450591b689SDag-Erling Smørgrav 1460591b689SDag-Erling Smørgrav6) DSA keys 1470591b689SDag-Erling Smørgrav 1480591b689SDag-Erling Smørgrav DSA keys were disabled by default in upstream 6.9p1. We've added 1490591b689SDag-Erling Smørgrav them back. 1500591b689SDag-Erling Smørgrav 1510591b689SDag-Erling Smørgrav7) Agent client reference counting 1520591b689SDag-Erling Smørgrav 1530591b689SDag-Erling Smørgrav We've added code to ssh-agent.c to implement client reference 1540591b689SDag-Erling Smørgrav counting; the agent will automatically exit when the last client 1550591b689SDag-Erling Smørgrav disconnects. 1560591b689SDag-Erling Smørgrav 1570591b689SDag-Erling Smørgrav8) Class-based login restrictions 1580591b689SDag-Erling Smørgrav 1590591b689SDag-Erling Smørgrav We've added code to auth2.c to enforce the host.allow, host.deny, 1600591b689SDag-Erling Smørgrav times.allow and times.deny login class capabilities. 1610591b689SDag-Erling Smørgrav 1620591b689SDag-Erling Smørgrav9) HPN 1630591b689SDag-Erling Smørgrav 1640591b689SDag-Erling Smørgrav We no longer have the HPN patches (adaptive buffer size for 1650591b689SDag-Erling Smørgrav increased throughput on high-BxD links), but we recognize and 1660591b689SDag-Erling Smørgrav ignore HPN-related configuration options to avoid breaking existing 1670591b689SDag-Erling Smørgrav configurations. 1680591b689SDag-Erling Smørgrav 169ba11afccSDag-Erling Smørgrav 170ba11afccSDag-Erling Smørgrav 171ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI 1720085282bSDag-Erling SmørgravLabs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co., 173ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker. 174ba11afccSDag-Erling Smørgrav 175ba11afccSDag-Erling Smørgrav -- des@FreeBSD.org 176ba11afccSDag-Erling Smørgrav 177ba11afccSDag-Erling Smørgrav$FreeBSD$ 178