1ba11afccSDag-Erling Smørgrav FreeBSD maintainer's guide to OpenSSH-portable 2ba11afccSDag-Erling Smørgrav ============================================== 3ba11afccSDag-Erling Smørgrav 474c59ab7SEd Maste These instructions assume you have a clone of the FreeBSD git repo 574c59ab7SEd Maste main branch in src/freebsd/main, and will store vendor trees under 674c59ab7SEd Maste src/freebsd/vendor/. In addition, this assumes there is a "freebsd" 774c59ab7SEd Maste origin pointing to git(repo).freebsd.org/src.git. 874c59ab7SEd Maste 9cf783db1SDag-Erling Smørgrav00) Make sure your mail spool has plenty of free space. It'll fill up 10ba11afccSDag-Erling Smørgrav pretty fast once you're done with this checklist. 11ba11afccSDag-Erling Smørgrav 12cf783db1SDag-Erling Smørgrav01) Download the latest OpenSSH-portable tarball and signature from 139fcda2f4SEd Maste OpenBSD (https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/). 14ba11afccSDag-Erling Smørgrav 15cf783db1SDag-Erling Smørgrav02) Verify the signature: 16ba11afccSDag-Erling Smørgrav 17cf783db1SDag-Erling Smørgrav $ gpg --verify openssh-X.YpZ.tar.gz.asc 181c71974bSDag-Erling Smørgrav 19cf783db1SDag-Erling Smørgrav03) Unpack the tarball in a suitable directory: 20ba11afccSDag-Erling Smørgrav 21cf783db1SDag-Erling Smørgrav $ tar xf openssh-X.YpZ.tar.gz 22e2fb0b2aSDag-Erling Smørgrav 2374c59ab7SEd Maste04) Copy to a vendor branch: 24ba11afccSDag-Erling Smørgrav 2574c59ab7SEd Maste $ cd src/freebsd/main 2674c59ab7SEd Maste $ git worktree add ../vendor/openssh freebsd/vendor/openssh 2774c59ab7SEd Maste $ cd ../vendor/openssh 2874c59ab7SEd Maste $ rsync --archive --delete --exclude=.git /path/to/openssh-X.YpZ/ ./ 29ba11afccSDag-Erling Smørgrav 30cf783db1SDag-Erling Smørgrav05) Take care of added / deleted files: 31ba11afccSDag-Erling Smørgrav 3274c59ab7SEd Maste $ git add -A 33ba11afccSDag-Erling Smørgrav 34cf783db1SDag-Erling Smørgrav06) Commit: 35ba11afccSDag-Erling Smørgrav 3674c59ab7SEd Maste $ git commit -m "Vendor import of OpenSSH X.YpZ" 37ba11afccSDag-Erling Smørgrav 38cf783db1SDag-Erling Smørgrav07) Tag: 39ba11afccSDag-Erling Smørgrav 4074c59ab7SEd Maste $ git tag -a -m "Tag OpenSSH X.YpZ" vendor/openssh/X.YpZ 41ba11afccSDag-Erling Smørgrav 42576b477bSEd Maste At this point the vendor branch can be pushed to the FreeBSD repo via: 43576b477bSEd Maste 44576b477bSEd Maste $ git push freebsd vendor/openssh 45576b477bSEd Maste 46576b477bSEd Maste (It could also be pushed later on, along with the merge to main, but 47576b477bSEd Maste pushing now allows others to collaborate.) 48576b477bSEd Maste 490591b689SDag-Erling Smørgrav08) Check out head and run the pre-merge script, which strips our RCS 500591b689SDag-Erling Smørgrav tags from files that have them: 51e66498cdSDag-Erling Smørgrav 5274c59ab7SEd Maste $ cd src/freebsd/main/crypto/openssh 53cf783db1SDag-Erling Smørgrav $ sh freebsd-pre-merge.sh 54ba11afccSDag-Erling Smørgrav 55cf783db1SDag-Erling Smørgrav09) Merge from the vendor branch: 56ba11afccSDag-Erling Smørgrav 5774c59ab7SEd Maste $ git subtree merge -P crypto/openssh vendor/openssh 58cf783db1SDag-Erling Smørgrav 5999b201c3SEd Maste A number of files have been deleted from FreeBSD's copy of ssh, 6099b201c3SEd Maste including rendered man pages (which have a .0 extension). When 6174c59ab7SEd Maste git prompts for these deleted files during the merge, choose 'd' 6299b201c3SEd Maste (leaving them deleted). 6399b201c3SEd Maste 64cf783db1SDag-Erling Smørgrav0A) Resolve conflicts. Remember to bump the version addendum in 65cf783db1SDag-Erling Smørgrav version.h, and update the default value in ssh{,d}_config and 66cf783db1SDag-Erling Smørgrav ssh{,d}_config.5. 67cf783db1SDag-Erling Smørgrav 68cf783db1SDag-Erling Smørgrav0B) Diff against the vendor branch: 69cf783db1SDag-Erling Smørgrav 7074c59ab7SEd Maste $ git diff --diff-filter=M vendor/openssh/X.YpZ HEAD:crypto/openssh 71cf783db1SDag-Erling Smørgrav 72cf783db1SDag-Erling Smørgrav Files that have modifications relative to the vendor code, and 73cf783db1SDag-Erling Smørgrav only those files, must have the svn:keywords property set to 74cf783db1SDag-Erling Smørgrav FreeBSD=%H and be listed in the 'keywords' file created by the 75cf783db1SDag-Erling Smørgrav pre-merge script. 76cf783db1SDag-Erling Smørgrav 770591b689SDag-Erling Smørgrav0C) Run the post-merge script, which re-adds RCS tags to files that 780591b689SDag-Erling Smørgrav need them: 79cf783db1SDag-Erling Smørgrav 80cf783db1SDag-Erling Smørgrav $ sh freebsd-post-merge.sh 81cf783db1SDag-Erling Smørgrav 8274c59ab7SEd Maste These tags are not used with git, but we will leave them in place as 8374c59ab7SEd Maste long as svn-based FreeBSD 11.x and 12.x are supported. 8474c59ab7SEd Maste 85cf783db1SDag-Erling Smørgrav0D) Run the configure script: 86cf783db1SDag-Erling Smørgrav 87cf783db1SDag-Erling Smørgrav $ sh freebsd-configure.sh 88cf783db1SDag-Erling Smørgrav 890591b689SDag-Erling Smørgrav0E) Review changes to config.h very carefully. 90cf783db1SDag-Erling Smørgrav 914c3ccd96SEd Maste Note that libwrap should not be defined in config.h; as of 9274c59ab7SEd Maste r311585 (233932cc2a60) it is conditional on MK_TCP_WRAPPERS. 934c3ccd96SEd Maste 94cf783db1SDag-Erling Smørgrav0F) If source files have been added or removed, update the appropriate 95e66498cdSDag-Erling Smørgrav makefiles to reflect changes in the vendor's Makefile.in. 96ba11afccSDag-Erling Smørgrav 974f52dfbbSDag-Erling Smørgrav10) Update ssh_namespace.h: 98ba11afccSDag-Erling Smørgrav 994f52dfbbSDag-Erling Smørgrav $ sh freebsd-namespace.sh 100e66498cdSDag-Erling Smørgrav 1014f52dfbbSDag-Erling Smørgrav11) Build and install world, reboot, test. Pay particular attention 102cf783db1SDag-Erling Smørgrav to pam_ssh(8), which gropes inside libssh and will break if 103cf783db1SDag-Erling Smørgrav something significant changes or if ssh_namespace.h is out of 104cf783db1SDag-Erling Smørgrav whack. 105cf783db1SDag-Erling Smørgrav 1064f52dfbbSDag-Erling Smørgrav12) Commit, and hunker down for the inevitable storm of complaints. 107ba11afccSDag-Erling Smørgrav 108ba11afccSDag-Erling Smørgrav 109ba11afccSDag-Erling Smørgrav 110ba11afccSDag-Erling Smørgrav An overview of FreeBSD changes to OpenSSH-portable 111ba11afccSDag-Erling Smørgrav ================================================== 112ba11afccSDag-Erling Smørgrav 113519496a5SEd Maste* don't free string returned by login_getcapstr(3) 114519496a5SEd Maste 115519496a5SEd Maste Committed upstream as f060c2bc85d59d111fa18a12eb3872ee4b9f7e97 116519496a5SEd Maste 117519496a5SEd Maste* Use login_getpwclass() instead of login_getclass() 118519496a5SEd Maste 119519496a5SEd Maste Committed upstream as 3d05e5881ceb2e48e1948ba14292216b56ed792e 120519496a5SEd Maste 121ba11afccSDag-Erling Smørgrav0) VersionAddendum 122ba11afccSDag-Erling Smørgrav 123ba11afccSDag-Erling Smørgrav The SSH protocol allows for a human-readable version string of up 124ba11afccSDag-Erling Smørgrav to 40 characters to be appended to the protocol version string. 125ba11afccSDag-Erling Smørgrav FreeBSD takes advantage of this to include a date indicating the 126ba11afccSDag-Erling Smørgrav "patch level", so people can easily determine whether their system 127ba11afccSDag-Erling Smørgrav is vulnerable when an OpenSSH advisory goes out. Some people, 128ba11afccSDag-Erling Smørgrav however, dislike advertising their patch level in the protocol 129ba11afccSDag-Erling Smørgrav handshake, so we've added a VersionAddendum configuration variable 1300591b689SDag-Erling Smørgrav to allow them to change or disable it. Upstream added support for 1310591b689SDag-Erling Smørgrav VersionAddendum on the server side, but we also support it on the 1320591b689SDag-Erling Smørgrav client side. 133ba11afccSDag-Erling Smørgrav 134ba11afccSDag-Erling Smørgrav1) Modified server-side defaults 135ba11afccSDag-Erling Smørgrav 136ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in sshd: 137ba11afccSDag-Erling Smørgrav 1380591b689SDag-Erling Smørgrav - UsePAM defaults to "yes". 139ba11afccSDag-Erling Smørgrav - PermitRootLogin defaults to "no". 1400591b689SDag-Erling Smørgrav - X11Forwarding defaults to "yes". 1410591b689SDag-Erling Smørgrav - PasswordAuthentication defaults to "no". 1420591b689SDag-Erling Smørgrav - VersionAddendum defaults to "FreeBSD-YYYYMMDD". 1430591b689SDag-Erling Smørgrav - PrivilegeSeparation defaults to "sandbox". 144c4cd1fa4SDag-Erling Smørgrav - UseDNS defaults to "yes". 145ba11afccSDag-Erling Smørgrav 146ba11afccSDag-Erling Smørgrav2) Modified client-side defaults 147ba11afccSDag-Erling Smørgrav 148ba11afccSDag-Erling Smørgrav We've modified some configuration defaults in ssh: 149ba11afccSDag-Erling Smørgrav 150ba11afccSDag-Erling Smørgrav - CheckHostIP defaults to "no". 1510591b689SDag-Erling Smørgrav - VerifyHostKeyDNS defaults to "yes" if built with LDNS. 1520591b689SDag-Erling Smørgrav - VersionAddendum defaults to "FreeBSD-YYYYMMDD". 153ba11afccSDag-Erling Smørgrav 154ba11afccSDag-Erling Smørgrav3) Canonic host names 155ba11afccSDag-Erling Smørgrav 156ba11afccSDag-Erling Smørgrav We've added code to ssh.c to canonicize the target host name after 157ba11afccSDag-Erling Smørgrav reading options but before trying to connect. This eliminates the 158ba11afccSDag-Erling Smørgrav usual problem with duplicate known_hosts entries. 159ba11afccSDag-Erling Smørgrav 160cb7b8027SDag-Erling Smørgrav4) setusercontext() environment 161ba11afccSDag-Erling Smørgrav 162ba11afccSDag-Erling Smørgrav Our setusercontext(3) can set environment variables, which we must 163ba11afccSDag-Erling Smørgrav take care to transfer to the child's environment. 164ba11afccSDag-Erling Smørgrav 1650591b689SDag-Erling Smørgrav5) TCP wrappers 1660591b689SDag-Erling Smørgrav 1670591b689SDag-Erling Smørgrav Support for TCP wrappers was removed in upstream 6.7p1. We've 1680591b689SDag-Erling Smørgrav added it back by porting the 6.6p1 code forward. 1690591b689SDag-Erling Smørgrav 170e491358cSEd Maste TCP wrappers support in sshd will be disabled in HEAD and will 171e491358cSEd Maste be removed from FreeBSD in the future. 172e491358cSEd Maste 1739ded3306SDag-Erling Smørgrav6) Agent client reference counting 1740591b689SDag-Erling Smørgrav 1750591b689SDag-Erling Smørgrav We've added code to ssh-agent.c to implement client reference 1760591b689SDag-Erling Smørgrav counting; the agent will automatically exit when the last client 1770591b689SDag-Erling Smørgrav disconnects. 1780591b689SDag-Erling Smørgrav 179*f3fd8850SEd Maste7) Class-based login restrictions (27ceebbc2402) 1800591b689SDag-Erling Smørgrav 181*f3fd8850SEd Maste We've added code to auth.c to enforce the host.allow, host.deny, 182*f3fd8850SEd Maste times.allow and times.deny login class capabilities, based on an 183*f3fd8850SEd Maste upstream submission from 184*f3fd8850SEd Maste https://github.com/openssh/openssh-portable/pull/262. 18535a03425SEd Maste 1869ded3306SDag-Erling Smørgrav8) HPN 1870591b689SDag-Erling Smørgrav 1880591b689SDag-Erling Smørgrav We no longer have the HPN patches (adaptive buffer size for 1890591b689SDag-Erling Smørgrav increased throughput on high-BxD links), but we recognize and 1900591b689SDag-Erling Smørgrav ignore HPN-related configuration options to avoid breaking existing 1910591b689SDag-Erling Smørgrav configurations. 1920591b689SDag-Erling Smørgrav 193ba11afccSDag-Erling Smørgrav 194ba11afccSDag-Erling Smørgrav 195ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI 1960085282bSDag-Erling SmørgravLabs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co., 197ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker. 198ba11afccSDag-Erling Smørgrav 199ba11afccSDag-Erling Smørgrav -- des@FreeBSD.org 200ba11afccSDag-Erling Smørgrav 201ba11afccSDag-Erling Smørgrav$FreeBSD$ 202