xref: /freebsd/crypto/openssh/FREEBSD-upgrade (revision cf783db1520617602a762fe74663985b3d7354c8) 
1ba11afccSDag-Erling Smørgrav
2ba11afccSDag-Erling Smørgrav
3ba11afccSDag-Erling Smørgrav	    FreeBSD maintainer's guide to OpenSSH-portable
4ba11afccSDag-Erling Smørgrav	    ==============================================
5ba11afccSDag-Erling Smørgrav
6*cf783db1SDag-Erling Smørgrav00) Make sure your mail spool has plenty of free space.  It'll fill up
7ba11afccSDag-Erling Smørgrav    pretty fast once you're done with this checklist.
8ba11afccSDag-Erling Smørgrav
9*cf783db1SDag-Erling Smørgrav01) Download the latest OpenSSH-portable tarball and signature from
10*cf783db1SDag-Erling Smørgrav    OpenBSD (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/).
11ba11afccSDag-Erling Smørgrav
12*cf783db1SDag-Erling Smørgrav02) Verify the signature:
13ba11afccSDag-Erling Smørgrav
14*cf783db1SDag-Erling Smørgrav    $ gpg --verify openssh-X.YpZ.tar.gz.asc
151c71974bSDag-Erling Smørgrav
16*cf783db1SDag-Erling Smørgrav03) Unpack the tarball in a suitable directory:
17ba11afccSDag-Erling Smørgrav
18*cf783db1SDag-Erling Smørgrav    $ tar xf openssh-X.YpZ.tar.gz
19e2fb0b2aSDag-Erling Smørgrav
20*cf783db1SDag-Erling Smørgrav04) Copy to the vendor directory:
21ba11afccSDag-Erling Smørgrav
22*cf783db1SDag-Erling Smørgrav    $ svn co svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist
23*cf783db1SDag-Erling Smørgrav    $ rsync --archive --delete openssh-X.YpZ/ dist/
24ba11afccSDag-Erling Smørgrav
25*cf783db1SDag-Erling Smørgrav05) Take care of added / deleted files:
26ba11afccSDag-Erling Smørgrav
27*cf783db1SDag-Erling Smørgrav    $ svn rm $(svn stat dist | awk '$1 == "!" { print $2 }')
28*cf783db1SDag-Erling Smørgrav    $ svn add --no-auto-props $(svn stat dist | awk '$1 == "?" { print $2 }')
29ba11afccSDag-Erling Smørgrav
30*cf783db1SDag-Erling Smørgrav06) Commit:
31ba11afccSDag-Erling Smørgrav
32*cf783db1SDag-Erling Smørgrav    $ svn commit -m "Vendor import of OpenSSH X.YpZ." dist
33ba11afccSDag-Erling Smørgrav
34*cf783db1SDag-Erling Smørgrav07) Tag:
35ba11afccSDag-Erling Smørgrav
36*cf783db1SDag-Erling Smørgrav    $ svn copy -m "Tag OpenSSH X.YpZ." \
37*cf783db1SDag-Erling Smørgrav        svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist \
38*cf783db1SDag-Erling Smørgrav        svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/X.YpZ
39ba11afccSDag-Erling Smørgrav
40*cf783db1SDag-Erling Smørgrav08) Check out head and run the pre-merge script:
41e66498cdSDag-Erling Smørgrav
42*cf783db1SDag-Erling Smørgrav    $ svn co svn+ssh://svn.freebsd.org/base/head
43*cf783db1SDag-Erling Smørgrav    $ cd head/crypto/openssh
44*cf783db1SDag-Erling Smørgrav    $ sh freebsd-pre-merge.sh
45ba11afccSDag-Erling Smørgrav
46*cf783db1SDag-Erling Smørgrav09) Merge from the vendor branch:
47ba11afccSDag-Erling Smørgrav
48*cf783db1SDag-Erling Smørgrav    $ svn merge -cNNNNNN \^/vendor-crypto/openssh/dist .
49*cf783db1SDag-Erling Smørgrav
50*cf783db1SDag-Erling Smørgrav0A) Resolve conflicts.  Remember to bump the version addendum in
51*cf783db1SDag-Erling Smørgrav    version.h, and update the default value in ssh{,d}_config and
52*cf783db1SDag-Erling Smørgrav    ssh{,d}_config.5.
53*cf783db1SDag-Erling Smørgrav
54*cf783db1SDag-Erling Smørgrav0B) Diff against the vendor branch:
55*cf783db1SDag-Erling Smørgrav
56*cf783db1SDag-Erling Smørgrav    $ svn diff \^/vendor-crypto/openssh/dist .
57*cf783db1SDag-Erling Smørgrav
58*cf783db1SDag-Erling Smørgrav    Files that have modifications relative to the vendor code, and
59*cf783db1SDag-Erling Smørgrav    only those files, must have the svn:keywords property set to
60*cf783db1SDag-Erling Smørgrav    FreeBSD=%H and be listed in the 'keywords' file created by the
61*cf783db1SDag-Erling Smørgrav    pre-merge script.
62*cf783db1SDag-Erling Smørgrav
63*cf783db1SDag-Erling Smørgrav0C) Run the post-merge script:
64*cf783db1SDag-Erling Smørgrav
65*cf783db1SDag-Erling Smørgrav    $ sh freebsd-post-merge.sh
66*cf783db1SDag-Erling Smørgrav
67*cf783db1SDag-Erling Smørgrav0D) Run the configure script:
68*cf783db1SDag-Erling Smørgrav
69*cf783db1SDag-Erling Smørgrav    $ sh freebsd-configure.sh
70*cf783db1SDag-Erling Smørgrav
71*cf783db1SDag-Erling Smørgrav0E) Check config.h very carefully.
72*cf783db1SDag-Erling Smørgrav
73*cf783db1SDag-Erling Smørgrav0F) If source files have been added or removed, update the appropriate
74e66498cdSDag-Erling Smørgrav    makefiles to reflect changes in the vendor's Makefile.in.
75ba11afccSDag-Erling Smørgrav
76*cf783db1SDag-Erling Smørgrav10) Build libssh:
77ba11afccSDag-Erling Smørgrav
78*cf783db1SDag-Erling Smørgrav    $ cd ../../secure/lib/libssh && make obj && make depend && make
79e66498cdSDag-Erling Smørgrav
80*cf783db1SDag-Erling Smørgrav11) Follow the instructions in ssh_namespace.h to get a list of new
81*cf783db1SDag-Erling Smørgrav    symbols, and them to ssh_namespace.h.  Keep it sorted!
82*cf783db1SDag-Erling Smørgrav
83*cf783db1SDag-Erling Smørgrav12) Build and install world, reboot, test.  Pay particular attention
84*cf783db1SDag-Erling Smørgrav    to pam_ssh(8), which gropes inside libssh and will break if
85*cf783db1SDag-Erling Smørgrav    something significant changes or if ssh_namespace.h is out of
86*cf783db1SDag-Erling Smørgrav    whack.
87*cf783db1SDag-Erling Smørgrav
88*cf783db1SDag-Erling Smørgrav13) Commit, and hunker down for the inevitable storm of complaints.
89ba11afccSDag-Erling Smørgrav
90ba11afccSDag-Erling Smørgrav
91ba11afccSDag-Erling Smørgrav
92ba11afccSDag-Erling Smørgrav	  An overview of FreeBSD changes to OpenSSH-portable
93ba11afccSDag-Erling Smørgrav	  ==================================================
94ba11afccSDag-Erling Smørgrav
95*cf783db1SDag-Erling SmørgravXXX This section is out of date
96*cf783db1SDag-Erling Smørgrav
97ba11afccSDag-Erling Smørgrav0) VersionAddendum
98ba11afccSDag-Erling Smørgrav
99ba11afccSDag-Erling Smørgrav   The SSH protocol allows for a human-readable version string of up
100ba11afccSDag-Erling Smørgrav   to 40 characters to be appended to the protocol version string.
101ba11afccSDag-Erling Smørgrav   FreeBSD takes advantage of this to include a date indicating the
102ba11afccSDag-Erling Smørgrav   "patch level", so people can easily determine whether their system
103ba11afccSDag-Erling Smørgrav   is vulnerable when an OpenSSH advisory goes out.  Some people,
104ba11afccSDag-Erling Smørgrav   however, dislike advertising their patch level in the protocol
105ba11afccSDag-Erling Smørgrav   handshake, so we've added a VersionAddendum configuration variable
106ba11afccSDag-Erling Smørgrav   to allow them to change or disable it.
107ba11afccSDag-Erling Smørgrav
108ba11afccSDag-Erling Smørgrav1) Modified server-side defaults
109ba11afccSDag-Erling Smørgrav
110ba11afccSDag-Erling Smørgrav   We've modified some configuration defaults in sshd:
111ba11afccSDag-Erling Smørgrav
112d4af9e69SDag-Erling Smørgrav      - PasswordAuthentication defaults to "no".
113ba11afccSDag-Erling Smørgrav
114ba11afccSDag-Erling Smørgrav      - LoginGraceTime defaults to 120 seconds instead of 600.
115ba11afccSDag-Erling Smørgrav
116ba11afccSDag-Erling Smørgrav      - PermitRootLogin defaults to "no".
117ba11afccSDag-Erling Smørgrav
118ba11afccSDag-Erling Smørgrav      - X11Forwarding defaults to "yes" (it's a threat to the client,
119ba11afccSDag-Erling Smørgrav        not to the server.)
120ba11afccSDag-Erling Smørgrav
121ba11afccSDag-Erling Smørgrav2) Modified client-side defaults
122ba11afccSDag-Erling Smørgrav
123ba11afccSDag-Erling Smørgrav   We've modified some configuration defaults in ssh:
124ba11afccSDag-Erling Smørgrav
125ba11afccSDag-Erling Smørgrav      - CheckHostIP defaults to "no".
126ba11afccSDag-Erling Smørgrav
127ba11afccSDag-Erling Smørgrav3) Canonic host names
128ba11afccSDag-Erling Smørgrav
129ba11afccSDag-Erling Smørgrav   We've added code to ssh.c to canonicize the target host name after
130ba11afccSDag-Erling Smørgrav   reading options but before trying to connect.  This eliminates the
131ba11afccSDag-Erling Smørgrav   usual problem with duplicate known_hosts entries.
132ba11afccSDag-Erling Smørgrav
133cb7b8027SDag-Erling Smørgrav4) setusercontext() environment
134ba11afccSDag-Erling Smørgrav
135ba11afccSDag-Erling Smørgrav   Our setusercontext(3) can set environment variables, which we must
136ba11afccSDag-Erling Smørgrav   take care to transfer to the child's environment.
137ba11afccSDag-Erling Smørgrav
138ba11afccSDag-Erling Smørgrav
139ba11afccSDag-Erling Smørgrav
140ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI
1410085282bSDag-Erling SmørgravLabs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
142ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker.
143ba11afccSDag-Erling Smørgrav
144ba11afccSDag-Erling Smørgrav					-- des@FreeBSD.org
145ba11afccSDag-Erling Smørgrav
146ba11afccSDag-Erling Smørgrav$FreeBSD$
147