1ba11afccSDag-Erling Smørgrav 2ba11afccSDag-Erling Smørgrav 3ba11afccSDag-Erling Smørgrav FreeBSD maintainer's guide to OpenSSH-portable 4ba11afccSDag-Erling Smørgrav ============================================== 5ba11afccSDag-Erling Smørgrav 6ba11afccSDag-Erling Smørgrav 7ba11afccSDag-Erling Smørgrav0) Make sure your mail spool has plenty of free space. It'll fill up 8ba11afccSDag-Erling Smørgrav pretty fast once you're done with this checklist. 9ba11afccSDag-Erling Smørgrav 10ba11afccSDag-Erling Smørgrav1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 11ba11afccSDag-Erling Smørgrav site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 12ba11afccSDag-Erling Smørgrav 13ba11afccSDag-Erling Smørgrav2) Unpack the tarball in a suitable directory. 14ba11afccSDag-Erling Smørgrav 15ba11afccSDag-Erling Smørgrav3) Remove trash: 16ba11afccSDag-Erling Smørgrav 17d49dad04SDag-Erling Smørgrav $ sh -c 'while read glob ; do rm -rvf $glob ; done' \ 18d49dad04SDag-Erling Smørgrav </usr/src/crypto/openssh/FREEBSD-Xlist 19ba11afccSDag-Erling Smørgrav 20ba11afccSDag-Erling Smørgrav Make sure that took care of everything, and if it didn't, make sure 21e2fb0b2aSDag-Erling Smørgrav to update FREEBSD-Xlist so you won't miss it the next time. A good 22e2fb0b2aSDag-Erling Smørgrav way to do this is to run a test import and see if any new files 23e2fb0b2aSDag-Erling Smørgrav show up: 24e2fb0b2aSDag-Erling Smørgrav 25e2fb0b2aSDag-Erling Smørgrav $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N 26ba11afccSDag-Erling Smørgrav 27ba11afccSDag-Erling Smørgrav4) Import the sources: 28ba11afccSDag-Erling Smørgrav 29b8110726SJun Kuriyama $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ 30ba11afccSDag-Erling Smørgrav 31ba11afccSDag-Erling Smørgrav5) Resolve conflicts. Remember to bump the version number and 32e2fb0b2aSDag-Erling Smørgrav addendum in version.h, and update the default value in 33e2fb0b2aSDag-Erling Smørgrav ssh{,d}_config and ssh{,d}_config.5. 34ba11afccSDag-Erling Smørgrav 35ba11afccSDag-Erling Smørgrav6) Generate configure and config.h.in: 36ba11afccSDag-Erling Smørgrav 37ba11afccSDag-Erling Smørgrav $ autoconf 38ba11afccSDag-Erling Smørgrav $ autoheader 39ba11afccSDag-Erling Smørgrav 40ba11afccSDag-Erling Smørgrav Note: this requires a recent version of autoconf, not autoconf213. 41ba11afccSDag-Erling Smørgrav 42ba11afccSDag-Erling Smørgrav7) Run configure with the appropriate arguments: 43ba11afccSDag-Erling Smørgrav 44ba11afccSDag-Erling Smørgrav $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 456dbd30e7SDag-Erling Smørgrav --with-pam --with-tcp-wrappers --with-libedit 46ba11afccSDag-Erling Smørgrav 47ba11afccSDag-Erling Smørgrav Note that we don't want to configure OpenSSH for Kerberos using 48ba11afccSDag-Erling Smørgrav configure since we have to be able to turn it on or off depending 49e1fe3dbaSRuslan Ermilov on the value of MK_KERBEROS. Our Makefiles take care of this. 50ba11afccSDag-Erling Smørgrav 51ba11afccSDag-Erling Smørgrav8) Commit the resulting config.h. Make sure you don't accidentally 52ba11afccSDag-Erling Smørgrav commit any other files created by autoconf, autoheader or 53ba11afccSDag-Erling Smørgrav configure; they'll just clutter up the repo and cause trouble at 54ba11afccSDag-Erling Smørgrav the next upgrade. 55ba11afccSDag-Erling Smørgrav 56ba11afccSDag-Erling Smørgrav9) Build and test. 57ba11afccSDag-Erling Smørgrav 58ba11afccSDag-Erling SmørgravA) Re-commit everything on freefall (you *did* use a test repo for 59ba11afccSDag-Erling Smørgrav this, didn't you?) 60ba11afccSDag-Erling Smørgrav 61ba11afccSDag-Erling Smørgrav 62ba11afccSDag-Erling Smørgrav 63ba11afccSDag-Erling Smørgrav An overview of FreeBSD changes to OpenSSH-portable 64ba11afccSDag-Erling Smørgrav ================================================== 65ba11afccSDag-Erling Smørgrav 66ba11afccSDag-Erling Smørgrav0) VersionAddendum 67ba11afccSDag-Erling Smørgrav 68ba11afccSDag-Erling Smørgrav The SSH protocol allows for a human-readable version string of up 69ba11afccSDag-Erling Smørgrav to 40 characters to be appended to the protocol version string. 70ba11afccSDag-Erling Smørgrav FreeBSD takes advantage of this to include a date indicating the 71ba11afccSDag-Erling Smørgrav "patch level", so people can easily determine whether their system 72ba11afccSDag-Erling Smørgrav is vulnerable when an OpenSSH advisory goes out. Some people, 73ba11afccSDag-Erling Smørgrav however, dislike advertising their patch level in the protocol 74ba11afccSDag-Erling Smørgrav handshake, so we've added a VersionAddendum configuration variable 75ba11afccSDag-Erling Smørgrav to allow them to change or disable it. 76ba11afccSDag-Erling Smørgrav 77ba11afccSDag-Erling Smørgrav1) Modified server-side defaults 78ba11afccSDag-Erling Smørgrav 79ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in sshd: 80ba11afccSDag-Erling Smørgrav 813ee07a3aSDag-Erling Smørgrav - Protocol defaults to "2". 823ee07a3aSDag-Erling Smørgrav 833ee07a3aSDag-Erling Smørgrav - PasswordAuthentication defaults to "no" when PAM is enabled. 843ee07a3aSDag-Erling Smørgrav 85ba11afccSDag-Erling Smørgrav - For protocol version 2, we don't load RSA host keys by 86ba11afccSDag-Erling Smørgrav default. If both RSA and DSA keys are present, we prefer DSA 87ba11afccSDag-Erling Smørgrav to RSA. 88ba11afccSDag-Erling Smørgrav 89ba11afccSDag-Erling Smørgrav - LoginGraceTime defaults to 120 seconds instead of 600. 90ba11afccSDag-Erling Smørgrav 91ba11afccSDag-Erling Smørgrav - PermitRootLogin defaults to "no". 92ba11afccSDag-Erling Smørgrav 93ba11afccSDag-Erling Smørgrav - X11Forwarding defaults to "yes" (it's a threat to the client, 94ba11afccSDag-Erling Smørgrav not to the server.) 95ba11afccSDag-Erling Smørgrav 96ba11afccSDag-Erling Smørgrav2) Modified client-side defaults 97ba11afccSDag-Erling Smørgrav 98ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in ssh: 99ba11afccSDag-Erling Smørgrav 100ba11afccSDag-Erling Smørgrav - For protocol version 2, if both RSA and DSA keys are present, 101ba11afccSDag-Erling Smørgrav we prefer DSA to RSA. 102ba11afccSDag-Erling Smørgrav 103ba11afccSDag-Erling Smørgrav - CheckHostIP defaults to "no". 104ba11afccSDag-Erling Smørgrav 105ba11afccSDag-Erling Smørgrav3) Canonic host names 106ba11afccSDag-Erling Smørgrav 107ba11afccSDag-Erling Smørgrav We've added code to ssh.c to canonicize the target host name after 108ba11afccSDag-Erling Smørgrav reading options but before trying to connect. This eliminates the 109ba11afccSDag-Erling Smørgrav usual problem with duplicate known_hosts entries. 110ba11afccSDag-Erling Smørgrav 111ba11afccSDag-Erling Smørgrav4) OPIE 112ba11afccSDag-Erling Smørgrav 113ba11afccSDag-Erling Smørgrav We've added support for using OPIE as a drop-in replacement for 114ba11afccSDag-Erling Smørgrav S/Key. 115ba11afccSDag-Erling Smørgrav 116c880b043SDag-Erling Smørgrav5) setusercontext() environment 117ba11afccSDag-Erling Smørgrav 118ba11afccSDag-Erling Smørgrav Our setusercontext(3) can set environment variables, which we must 119ba11afccSDag-Erling Smørgrav take care to transfer to the child's environment. 120ba11afccSDag-Erling Smørgrav 121ba11afccSDag-Erling Smørgrav 122ba11afccSDag-Erling Smørgrav 123ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI 124ba11afccSDag-Erling SmørgravLabs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 125ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker. 126ba11afccSDag-Erling Smørgrav 127ba11afccSDag-Erling Smørgrav -- des@FreeBSD.org 128ba11afccSDag-Erling Smørgrav 129ba11afccSDag-Erling Smørgrav$FreeBSD$ 130