1ba11afccSDag-Erling Smørgrav 2ba11afccSDag-Erling Smørgrav 3ba11afccSDag-Erling Smørgrav FreeBSD maintainer's guide to OpenSSH-portable 4ba11afccSDag-Erling Smørgrav ============================================== 5ba11afccSDag-Erling Smørgrav 6d4af9e69SDag-Erling Smørgrav[needs rewriting for svn] 7ba11afccSDag-Erling Smørgrav 8ba11afccSDag-Erling Smørgrav0) Make sure your mail spool has plenty of free space. It'll fill up 9ba11afccSDag-Erling Smørgrav pretty fast once you're done with this checklist. 10ba11afccSDag-Erling Smørgrav 11ba11afccSDag-Erling Smørgrav1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 12ba11afccSDag-Erling Smørgrav site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 13ba11afccSDag-Erling Smørgrav 14ba11afccSDag-Erling Smørgrav2) Unpack the tarball in a suitable directory. 15ba11afccSDag-Erling Smørgrav 161c71974bSDag-Erling Smørgrav $ tar xf openssh-X.YpZ.tar.gz \ 171c71974bSDag-Erling Smørgrav -X /usr/src/crypto/openssh/FREEBSD-Xlist 181c71974bSDag-Erling Smørgrav 19ba11afccSDag-Erling Smørgrav3) Remove trash: 20ba11afccSDag-Erling Smørgrav 211c71974bSDag-Erling Smørgrav Make sure -X took care of everything, and if it didn't, make sure 22e2fb0b2aSDag-Erling Smørgrav to update FREEBSD-Xlist so you won't miss it the next time. A good 23e2fb0b2aSDag-Erling Smørgrav way to do this is to run a test import and see if any new files 24e2fb0b2aSDag-Erling Smørgrav show up: 25e2fb0b2aSDag-Erling Smørgrav 26e2fb0b2aSDag-Erling Smørgrav $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N 27ba11afccSDag-Erling Smørgrav 28ba11afccSDag-Erling Smørgrav4) Import the sources: 29ba11afccSDag-Erling Smørgrav 30b8110726SJun Kuriyama $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ 31ba11afccSDag-Erling Smørgrav 32ba11afccSDag-Erling Smørgrav5) Resolve conflicts. Remember to bump the version number and 33e2fb0b2aSDag-Erling Smørgrav addendum in version.h, and update the default value in 34e2fb0b2aSDag-Erling Smørgrav ssh{,d}_config and ssh{,d}_config.5. 35ba11afccSDag-Erling Smørgrav 36ba11afccSDag-Erling Smørgrav6) Generate configure and config.h.in: 37ba11afccSDag-Erling Smørgrav 38ba11afccSDag-Erling Smørgrav $ autoconf 39ba11afccSDag-Erling Smørgrav $ autoheader 40ba11afccSDag-Erling Smørgrav 41ba11afccSDag-Erling Smørgrav Note: this requires a recent version of autoconf, not autoconf213. 42ba11afccSDag-Erling Smørgrav 43ba11afccSDag-Erling Smørgrav7) Run configure with the appropriate arguments: 44ba11afccSDag-Erling Smørgrav 45ba11afccSDag-Erling Smørgrav $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 46e66498cdSDag-Erling Smørgrav --with-pam --with-tcp-wrappers --with-libedit \ 47e66498cdSDag-Erling Smørgrav --with-ssl-engine 48e66498cdSDag-Erling Smørgrav 49e66498cdSDag-Erling Smørgrav This will regenerate config.h, which must be committed along with 50e66498cdSDag-Erling Smørgrav the rest. 51ba11afccSDag-Erling Smørgrav 52ba11afccSDag-Erling Smørgrav Note that we don't want to configure OpenSSH for Kerberos using 53ba11afccSDag-Erling Smørgrav configure since we have to be able to turn it on or off depending 54e1fe3dbaSRuslan Ermilov on the value of MK_KERBEROS. Our Makefiles take care of this. 55ba11afccSDag-Erling Smørgrav 56e66498cdSDag-Erling Smørgrav8) If source files have been added or removed, update the appropriate 57e66498cdSDag-Erling Smørgrav makefiles to reflect changes in the vendor's Makefile.in. 58ba11afccSDag-Erling Smørgrav 59e66498cdSDag-Erling Smørgrav9) Build libssh. Follow the instructions in ssh_namespace.h to get a 60e66498cdSDag-Erling Smørgrav list of new symbols. Update ssh_namespace.h, build everything, 61e66498cdSDag-Erling Smørgrav install and test. 62ba11afccSDag-Erling Smørgrav 63e66498cdSDag-Erling SmørgravA) Build and test the pam_ssh PAM module. It gropes around libssh's 64e66498cdSDag-Erling Smørgrav internals and will break if something significant changes or if 65e66498cdSDag-Erling Smørgrav ssh_namespace.h is out of whack. 66e66498cdSDag-Erling Smørgrav 67e66498cdSDag-Erling SmørgravB) Re-commit everything on repoman (you *did* use a test repo for 68ba11afccSDag-Erling Smørgrav this, didn't you?) 69ba11afccSDag-Erling Smørgrav 70ba11afccSDag-Erling Smørgrav 71ba11afccSDag-Erling Smørgrav 72ba11afccSDag-Erling Smørgrav An overview of FreeBSD changes to OpenSSH-portable 73ba11afccSDag-Erling Smørgrav ================================================== 74ba11afccSDag-Erling Smørgrav 75ba11afccSDag-Erling Smørgrav0) VersionAddendum 76ba11afccSDag-Erling Smørgrav 77ba11afccSDag-Erling Smørgrav The SSH protocol allows for a human-readable version string of up 78ba11afccSDag-Erling Smørgrav to 40 characters to be appended to the protocol version string. 79ba11afccSDag-Erling Smørgrav FreeBSD takes advantage of this to include a date indicating the 80ba11afccSDag-Erling Smørgrav "patch level", so people can easily determine whether their system 81ba11afccSDag-Erling Smørgrav is vulnerable when an OpenSSH advisory goes out. Some people, 82ba11afccSDag-Erling Smørgrav however, dislike advertising their patch level in the protocol 83ba11afccSDag-Erling Smørgrav handshake, so we've added a VersionAddendum configuration variable 84ba11afccSDag-Erling Smørgrav to allow them to change or disable it. 85ba11afccSDag-Erling Smørgrav 86ba11afccSDag-Erling Smørgrav1) Modified server-side defaults 87ba11afccSDag-Erling Smørgrav 88ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in sshd: 89ba11afccSDag-Erling Smørgrav 90d4af9e69SDag-Erling Smørgrav - PasswordAuthentication defaults to "no". 91ba11afccSDag-Erling Smørgrav 92ba11afccSDag-Erling Smørgrav - LoginGraceTime defaults to 120 seconds instead of 600. 93ba11afccSDag-Erling Smørgrav 94ba11afccSDag-Erling Smørgrav - PermitRootLogin defaults to "no". 95ba11afccSDag-Erling Smørgrav 96ba11afccSDag-Erling Smørgrav - X11Forwarding defaults to "yes" (it's a threat to the client, 97ba11afccSDag-Erling Smørgrav not to the server.) 98ba11afccSDag-Erling Smørgrav 99ba11afccSDag-Erling Smørgrav2) Modified client-side defaults 100ba11afccSDag-Erling Smørgrav 101ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in ssh: 102ba11afccSDag-Erling Smørgrav 103ba11afccSDag-Erling Smørgrav - CheckHostIP defaults to "no". 104ba11afccSDag-Erling Smørgrav 105ba11afccSDag-Erling Smørgrav3) Canonic host names 106ba11afccSDag-Erling Smørgrav 107ba11afccSDag-Erling Smørgrav We've added code to ssh.c to canonicize the target host name after 108ba11afccSDag-Erling Smørgrav reading options but before trying to connect. This eliminates the 109ba11afccSDag-Erling Smørgrav usual problem with duplicate known_hosts entries. 110ba11afccSDag-Erling Smørgrav 111cb7b8027SDag-Erling Smørgrav4) setusercontext() environment 112ba11afccSDag-Erling Smørgrav 113ba11afccSDag-Erling Smørgrav Our setusercontext(3) can set environment variables, which we must 114ba11afccSDag-Erling Smørgrav take care to transfer to the child's environment. 115ba11afccSDag-Erling Smørgrav 116ba11afccSDag-Erling Smørgrav 117ba11afccSDag-Erling Smørgrav 118ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI 119ba11afccSDag-Erling SmørgravLabs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 120ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker. 121ba11afccSDag-Erling Smørgrav 122ba11afccSDag-Erling Smørgrav -- des@FreeBSD.org 123ba11afccSDag-Erling Smørgrav 124ba11afccSDag-Erling Smørgrav$FreeBSD$ 125