1ba11afccSDag-Erling Smørgrav 2ba11afccSDag-Erling Smørgrav 3ba11afccSDag-Erling Smørgrav FreeBSD maintainer's guide to OpenSSH-portable 4ba11afccSDag-Erling Smørgrav ============================================== 5ba11afccSDag-Erling Smørgrav 6ba11afccSDag-Erling Smørgrav 7ba11afccSDag-Erling Smørgrav0) Make sure your mail spool has plenty of free space. It'll fill up 8ba11afccSDag-Erling Smørgrav pretty fast once you're done with this checklist. 9ba11afccSDag-Erling Smørgrav 10ba11afccSDag-Erling Smørgrav1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 11ba11afccSDag-Erling Smørgrav site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 12ba11afccSDag-Erling Smørgrav 13ba11afccSDag-Erling Smørgrav2) Unpack the tarball in a suitable directory. 14ba11afccSDag-Erling Smørgrav 15ba11afccSDag-Erling Smørgrav3) Remove trash: 16ba11afccSDag-Erling Smørgrav 17e2fb0b2aSDag-Erling Smørgrav $ tail +2 /usr/src/crypto/openssh/FREEBSD-Xlist | 18e2fb0b2aSDag-Erling Smørgrav while read glob ; do eval "rm -rvf $glob" ; done 19ba11afccSDag-Erling Smørgrav 20ba11afccSDag-Erling Smørgrav Make sure that took care of everything, and if it didn't, make sure 21e2fb0b2aSDag-Erling Smørgrav to update FREEBSD-Xlist so you won't miss it the next time. A good 22e2fb0b2aSDag-Erling Smørgrav way to do this is to run a test import and see if any new files 23e2fb0b2aSDag-Erling Smørgrav show up: 24e2fb0b2aSDag-Erling Smørgrav 25e2fb0b2aSDag-Erling Smørgrav $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N 26ba11afccSDag-Erling Smørgrav 27ba11afccSDag-Erling Smørgrav4) Import the sources: 28ba11afccSDag-Erling Smørgrav 29b8110726SJun Kuriyama $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ 30ba11afccSDag-Erling Smørgrav 31ba11afccSDag-Erling Smørgrav5) Resolve conflicts. Remember to bump the version number and 32e2fb0b2aSDag-Erling Smørgrav addendum in version.h, and update the default value in 33e2fb0b2aSDag-Erling Smørgrav ssh{,d}_config and ssh{,d}_config.5. 34ba11afccSDag-Erling Smørgrav 35ba11afccSDag-Erling Smørgrav6) Generate configure and config.h.in: 36ba11afccSDag-Erling Smørgrav 37ba11afccSDag-Erling Smørgrav $ autoconf 38ba11afccSDag-Erling Smørgrav $ autoheader 39ba11afccSDag-Erling Smørgrav 40ba11afccSDag-Erling Smørgrav Note: this requires a recent version of autoconf, not autoconf213. 41ba11afccSDag-Erling Smørgrav 42ba11afccSDag-Erling Smørgrav7) Run configure with the appropriate arguments: 43ba11afccSDag-Erling Smørgrav 44ba11afccSDag-Erling Smørgrav $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 4521f19a0cSDag-Erling Smørgrav --with-pam --with-tcp-wrappers 46ba11afccSDag-Erling Smørgrav 47ba11afccSDag-Erling Smørgrav Note that we don't want to configure OpenSSH for Kerberos using 48ba11afccSDag-Erling Smørgrav configure since we have to be able to turn it on or off depending 49e2fb0b2aSDag-Erling Smørgrav on the value of NO_KERBEROS. Our Makefiles take care of this. 50ba11afccSDag-Erling Smørgrav 51ba11afccSDag-Erling Smørgrav8) Commit the resulting config.h. Make sure you don't accidentally 52ba11afccSDag-Erling Smørgrav commit any other files created by autoconf, autoheader or 53ba11afccSDag-Erling Smørgrav configure; they'll just clutter up the repo and cause trouble at 54ba11afccSDag-Erling Smørgrav the next upgrade. 55ba11afccSDag-Erling Smørgrav 56ba11afccSDag-Erling Smørgrav9) Build and test. 57ba11afccSDag-Erling Smørgrav 58ba11afccSDag-Erling SmørgravA) Re-commit everything on freefall (you *did* use a test repo for 59ba11afccSDag-Erling Smørgrav this, didn't you?) 60ba11afccSDag-Erling Smørgrav 61ba11afccSDag-Erling Smørgrav 62ba11afccSDag-Erling Smørgrav 63ba11afccSDag-Erling Smørgrav An overview of FreeBSD changes to OpenSSH-portable 64ba11afccSDag-Erling Smørgrav ================================================== 65ba11afccSDag-Erling Smørgrav 66ba11afccSDag-Erling Smørgrav0) VersionAddendum 67ba11afccSDag-Erling Smørgrav 68ba11afccSDag-Erling Smørgrav The SSH protocol allows for a human-readable version string of up 69ba11afccSDag-Erling Smørgrav to 40 characters to be appended to the protocol version string. 70ba11afccSDag-Erling Smørgrav FreeBSD takes advantage of this to include a date indicating the 71ba11afccSDag-Erling Smørgrav "patch level", so people can easily determine whether their system 72ba11afccSDag-Erling Smørgrav is vulnerable when an OpenSSH advisory goes out. Some people, 73ba11afccSDag-Erling Smørgrav however, dislike advertising their patch level in the protocol 74ba11afccSDag-Erling Smørgrav handshake, so we've added a VersionAddendum configuration variable 75ba11afccSDag-Erling Smørgrav to allow them to change or disable it. 76ba11afccSDag-Erling Smørgrav 77ba11afccSDag-Erling Smørgrav1) Modified server-side defaults 78ba11afccSDag-Erling Smørgrav 79ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in sshd: 80ba11afccSDag-Erling Smørgrav 81ba11afccSDag-Erling Smørgrav - For protocol version 2, we don't load RSA host keys by 82ba11afccSDag-Erling Smørgrav default. If both RSA and DSA keys are present, we prefer DSA 83ba11afccSDag-Erling Smørgrav to RSA. 84ba11afccSDag-Erling Smørgrav 85ba11afccSDag-Erling Smørgrav - LoginGraceTime defaults to 120 seconds instead of 600. 86ba11afccSDag-Erling Smørgrav 87ba11afccSDag-Erling Smørgrav - PermitRootLogin defaults to "no". 88ba11afccSDag-Erling Smørgrav 89ba11afccSDag-Erling Smørgrav - X11Forwarding defaults to "yes" (it's a threat to the client, 90ba11afccSDag-Erling Smørgrav not to the server.) 91ba11afccSDag-Erling Smørgrav 92ba11afccSDag-Erling Smørgrav - Unless the config file says otherwise, we automatically enable 93ba11afccSDag-Erling Smørgrav Kerberos support if an appropriate keytab is present. 94ba11afccSDag-Erling Smørgrav 95ba11afccSDag-Erling Smørgrav - PAMAuthenticationViaKbdInt defaults to "yes". 96ba11afccSDag-Erling Smørgrav 97ba11afccSDag-Erling Smørgrav2) Modified client-side defaults 98ba11afccSDag-Erling Smørgrav 99ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in ssh: 100ba11afccSDag-Erling Smørgrav 101ba11afccSDag-Erling Smørgrav - For protocol version 2, if both RSA and DSA keys are present, 102ba11afccSDag-Erling Smørgrav we prefer DSA to RSA. 103ba11afccSDag-Erling Smørgrav 104ba11afccSDag-Erling Smørgrav - CheckHostIP defaults to "no". 105ba11afccSDag-Erling Smørgrav 106ba11afccSDag-Erling Smørgrav3) Canonic host names 107ba11afccSDag-Erling Smørgrav 108ba11afccSDag-Erling Smørgrav We've added code to ssh.c to canonicize the target host name after 109ba11afccSDag-Erling Smørgrav reading options but before trying to connect. This eliminates the 110ba11afccSDag-Erling Smørgrav usual problem with duplicate known_hosts entries. 111ba11afccSDag-Erling Smørgrav 112ba11afccSDag-Erling Smørgrav4) OPIE 113ba11afccSDag-Erling Smørgrav 114ba11afccSDag-Erling Smørgrav We've added support for using OPIE as a drop-in replacement for 115ba11afccSDag-Erling Smørgrav S/Key. 116ba11afccSDag-Erling Smørgrav 117ba11afccSDag-Erling Smørgrav5) PAM 118ba11afccSDag-Erling Smørgrav 119ba11afccSDag-Erling Smørgrav We use our own PAM code, which wraps PAM in a KbdintDevice and 120ba11afccSDag-Erling Smørgrav works with privsep, instead of OpenSSH's own PAM code. 121ba11afccSDag-Erling Smørgrav 122ba11afccSDag-Erling Smørgrav6) setusercontext() environment 123ba11afccSDag-Erling Smørgrav 124ba11afccSDag-Erling Smørgrav Our setusercontext(3) can set environment variables, which we must 125ba11afccSDag-Erling Smørgrav take care to transfer to the child's environment. 126ba11afccSDag-Erling Smørgrav 127ba11afccSDag-Erling Smørgrav 128ba11afccSDag-Erling Smørgrav 129ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI 130ba11afccSDag-Erling SmørgravLabs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 131ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker. 132ba11afccSDag-Erling Smørgrav 133ba11afccSDag-Erling Smørgrav -- des@FreeBSD.org 134ba11afccSDag-Erling Smørgrav 135ba11afccSDag-Erling Smørgrav$FreeBSD$ 136