xref: /freebsd/crypto/openssh/FREEBSD-upgrade (revision f3fd88507489f6b80402ab7a0fb195ca9c708334)
1ba11afccSDag-Erling Smørgrav	    FreeBSD maintainer's guide to OpenSSH-portable
2ba11afccSDag-Erling Smørgrav	    ==============================================
3ba11afccSDag-Erling Smørgrav
474c59ab7SEd Maste    These instructions assume you have a clone of the FreeBSD git repo
574c59ab7SEd Maste    main branch in src/freebsd/main, and will store vendor trees under
674c59ab7SEd Maste    src/freebsd/vendor/.  In addition, this assumes there is a "freebsd"
774c59ab7SEd Maste    origin pointing to git(repo).freebsd.org/src.git.
874c59ab7SEd Maste
9cf783db1SDag-Erling Smørgrav00) Make sure your mail spool has plenty of free space.  It'll fill up
10ba11afccSDag-Erling Smørgrav    pretty fast once you're done with this checklist.
11ba11afccSDag-Erling Smørgrav
12cf783db1SDag-Erling Smørgrav01) Download the latest OpenSSH-portable tarball and signature from
139fcda2f4SEd Maste    OpenBSD (https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/).
14ba11afccSDag-Erling Smørgrav
15cf783db1SDag-Erling Smørgrav02) Verify the signature:
16ba11afccSDag-Erling Smørgrav
17cf783db1SDag-Erling Smørgrav    $ gpg --verify openssh-X.YpZ.tar.gz.asc
181c71974bSDag-Erling Smørgrav
19cf783db1SDag-Erling Smørgrav03) Unpack the tarball in a suitable directory:
20ba11afccSDag-Erling Smørgrav
21cf783db1SDag-Erling Smørgrav    $ tar xf openssh-X.YpZ.tar.gz
22e2fb0b2aSDag-Erling Smørgrav
2374c59ab7SEd Maste04) Copy to a vendor branch:
24ba11afccSDag-Erling Smørgrav
2574c59ab7SEd Maste    $ cd src/freebsd/main
2674c59ab7SEd Maste    $ git worktree add ../vendor/openssh freebsd/vendor/openssh
2774c59ab7SEd Maste    $ cd ../vendor/openssh
2874c59ab7SEd Maste    $ rsync --archive --delete --exclude=.git /path/to/openssh-X.YpZ/ ./
29ba11afccSDag-Erling Smørgrav
30cf783db1SDag-Erling Smørgrav05) Take care of added / deleted files:
31ba11afccSDag-Erling Smørgrav
3274c59ab7SEd Maste    $ git add -A
33ba11afccSDag-Erling Smørgrav
34cf783db1SDag-Erling Smørgrav06) Commit:
35ba11afccSDag-Erling Smørgrav
3674c59ab7SEd Maste    $ git commit -m "Vendor import of OpenSSH X.YpZ"
37ba11afccSDag-Erling Smørgrav
38cf783db1SDag-Erling Smørgrav07) Tag:
39ba11afccSDag-Erling Smørgrav
4074c59ab7SEd Maste    $ git tag -a -m "Tag OpenSSH X.YpZ" vendor/openssh/X.YpZ
41ba11afccSDag-Erling Smørgrav
42576b477bSEd Maste    At this point the vendor branch can be pushed to the FreeBSD repo via:
43576b477bSEd Maste
44576b477bSEd Maste    $ git push freebsd vendor/openssh
45576b477bSEd Maste
46576b477bSEd Maste    (It could also be pushed later on, along with the merge to main, but
47576b477bSEd Maste    pushing now allows others to collaborate.)
48576b477bSEd Maste
490591b689SDag-Erling Smørgrav08) Check out head and run the pre-merge script, which strips our RCS
500591b689SDag-Erling Smørgrav    tags from files that have them:
51e66498cdSDag-Erling Smørgrav
5274c59ab7SEd Maste    $ cd src/freebsd/main/crypto/openssh
53cf783db1SDag-Erling Smørgrav    $ sh freebsd-pre-merge.sh
54ba11afccSDag-Erling Smørgrav
55cf783db1SDag-Erling Smørgrav09) Merge from the vendor branch:
56ba11afccSDag-Erling Smørgrav
5774c59ab7SEd Maste    $ git subtree merge -P crypto/openssh vendor/openssh
58cf783db1SDag-Erling Smørgrav
5999b201c3SEd Maste    A number of files have been deleted from FreeBSD's copy of ssh,
6099b201c3SEd Maste    including rendered man pages (which have a .0 extension).  When
6174c59ab7SEd Maste    git prompts for these deleted files during the merge, choose 'd'
6299b201c3SEd Maste    (leaving them deleted).
6399b201c3SEd Maste
64cf783db1SDag-Erling Smørgrav0A) Resolve conflicts.  Remember to bump the version addendum in
65cf783db1SDag-Erling Smørgrav    version.h, and update the default value in ssh{,d}_config and
66cf783db1SDag-Erling Smørgrav    ssh{,d}_config.5.
67cf783db1SDag-Erling Smørgrav
68cf783db1SDag-Erling Smørgrav0B) Diff against the vendor branch:
69cf783db1SDag-Erling Smørgrav
7074c59ab7SEd Maste    $ git diff --diff-filter=M vendor/openssh/X.YpZ HEAD:crypto/openssh
71cf783db1SDag-Erling Smørgrav
72cf783db1SDag-Erling Smørgrav    Files that have modifications relative to the vendor code, and
73cf783db1SDag-Erling Smørgrav    only those files, must have the svn:keywords property set to
74cf783db1SDag-Erling Smørgrav    FreeBSD=%H and be listed in the 'keywords' file created by the
75cf783db1SDag-Erling Smørgrav    pre-merge script.
76cf783db1SDag-Erling Smørgrav
770591b689SDag-Erling Smørgrav0C) Run the post-merge script, which re-adds RCS tags to files that
780591b689SDag-Erling Smørgrav    need them:
79cf783db1SDag-Erling Smørgrav
80cf783db1SDag-Erling Smørgrav    $ sh freebsd-post-merge.sh
81cf783db1SDag-Erling Smørgrav
8274c59ab7SEd Maste    These tags are not used with git, but we will leave them in place as
8374c59ab7SEd Maste    long as svn-based FreeBSD 11.x and 12.x are supported.
8474c59ab7SEd Maste
85cf783db1SDag-Erling Smørgrav0D) Run the configure script:
86cf783db1SDag-Erling Smørgrav
87cf783db1SDag-Erling Smørgrav    $ sh freebsd-configure.sh
88cf783db1SDag-Erling Smørgrav
890591b689SDag-Erling Smørgrav0E) Review changes to config.h very carefully.
90cf783db1SDag-Erling Smørgrav
914c3ccd96SEd Maste    Note that libwrap should not be defined in config.h; as of
9274c59ab7SEd Maste    r311585 (233932cc2a60) it is conditional on MK_TCP_WRAPPERS.
934c3ccd96SEd Maste
94cf783db1SDag-Erling Smørgrav0F) If source files have been added or removed, update the appropriate
95e66498cdSDag-Erling Smørgrav    makefiles to reflect changes in the vendor's Makefile.in.
96ba11afccSDag-Erling Smørgrav
974f52dfbbSDag-Erling Smørgrav10) Update ssh_namespace.h:
98ba11afccSDag-Erling Smørgrav
994f52dfbbSDag-Erling Smørgrav    $ sh freebsd-namespace.sh
100e66498cdSDag-Erling Smørgrav
1014f52dfbbSDag-Erling Smørgrav11) Build and install world, reboot, test.  Pay particular attention
102cf783db1SDag-Erling Smørgrav    to pam_ssh(8), which gropes inside libssh and will break if
103cf783db1SDag-Erling Smørgrav    something significant changes or if ssh_namespace.h is out of
104cf783db1SDag-Erling Smørgrav    whack.
105cf783db1SDag-Erling Smørgrav
1064f52dfbbSDag-Erling Smørgrav12) Commit, and hunker down for the inevitable storm of complaints.
107ba11afccSDag-Erling Smørgrav
108ba11afccSDag-Erling Smørgrav
109ba11afccSDag-Erling Smørgrav
110ba11afccSDag-Erling Smørgrav	  An overview of FreeBSD changes to OpenSSH-portable
111ba11afccSDag-Erling Smørgrav	  ==================================================
112ba11afccSDag-Erling Smørgrav
113519496a5SEd Maste* don't free string returned by login_getcapstr(3)
114519496a5SEd Maste
115519496a5SEd Maste  Committed upstream as f060c2bc85d59d111fa18a12eb3872ee4b9f7e97
116519496a5SEd Maste
117519496a5SEd Maste* Use login_getpwclass() instead of login_getclass()
118519496a5SEd Maste
119519496a5SEd Maste  Committed upstream as 3d05e5881ceb2e48e1948ba14292216b56ed792e
120519496a5SEd Maste
121ba11afccSDag-Erling Smørgrav0) VersionAddendum
122ba11afccSDag-Erling Smørgrav
123ba11afccSDag-Erling Smørgrav   The SSH protocol allows for a human-readable version string of up
124ba11afccSDag-Erling Smørgrav   to 40 characters to be appended to the protocol version string.
125ba11afccSDag-Erling Smørgrav   FreeBSD takes advantage of this to include a date indicating the
126ba11afccSDag-Erling Smørgrav   "patch level", so people can easily determine whether their system
127ba11afccSDag-Erling Smørgrav   is vulnerable when an OpenSSH advisory goes out.  Some people,
128ba11afccSDag-Erling Smørgrav   however, dislike advertising their patch level in the protocol
129ba11afccSDag-Erling Smørgrav   handshake, so we've added a VersionAddendum configuration variable
1300591b689SDag-Erling Smørgrav   to allow them to change or disable it.  Upstream added support for
1310591b689SDag-Erling Smørgrav   VersionAddendum on the server side, but we also support it on the
1320591b689SDag-Erling Smørgrav   client side.
133ba11afccSDag-Erling Smørgrav
134ba11afccSDag-Erling Smørgrav1) Modified server-side defaults
135ba11afccSDag-Erling Smørgrav
136ba11afccSDag-Erling Smørgrav   We've modified some configuration defaults in sshd:
137ba11afccSDag-Erling Smørgrav
1380591b689SDag-Erling Smørgrav      - UsePAM defaults to "yes".
139ba11afccSDag-Erling Smørgrav      - PermitRootLogin defaults to "no".
1400591b689SDag-Erling Smørgrav      - X11Forwarding defaults to "yes".
1410591b689SDag-Erling Smørgrav      - PasswordAuthentication defaults to "no".
1420591b689SDag-Erling Smørgrav      - VersionAddendum defaults to "FreeBSD-YYYYMMDD".
1430591b689SDag-Erling Smørgrav      - PrivilegeSeparation defaults to "sandbox".
144c4cd1fa4SDag-Erling Smørgrav      - UseDNS defaults to "yes".
145ba11afccSDag-Erling Smørgrav
146ba11afccSDag-Erling Smørgrav2) Modified client-side defaults
147ba11afccSDag-Erling Smørgrav
148ba11afccSDag-Erling Smørgrav   We've modified some configuration defaults in ssh:
149ba11afccSDag-Erling Smørgrav
150ba11afccSDag-Erling Smørgrav      - CheckHostIP defaults to "no".
1510591b689SDag-Erling Smørgrav      - VerifyHostKeyDNS defaults to "yes" if built with LDNS.
1520591b689SDag-Erling Smørgrav      - VersionAddendum defaults to "FreeBSD-YYYYMMDD".
153ba11afccSDag-Erling Smørgrav
154ba11afccSDag-Erling Smørgrav3) Canonic host names
155ba11afccSDag-Erling Smørgrav
156ba11afccSDag-Erling Smørgrav   We've added code to ssh.c to canonicize the target host name after
157ba11afccSDag-Erling Smørgrav   reading options but before trying to connect.  This eliminates the
158ba11afccSDag-Erling Smørgrav   usual problem with duplicate known_hosts entries.
159ba11afccSDag-Erling Smørgrav
160cb7b8027SDag-Erling Smørgrav4) setusercontext() environment
161ba11afccSDag-Erling Smørgrav
162ba11afccSDag-Erling Smørgrav   Our setusercontext(3) can set environment variables, which we must
163ba11afccSDag-Erling Smørgrav   take care to transfer to the child's environment.
164ba11afccSDag-Erling Smørgrav
1650591b689SDag-Erling Smørgrav5) TCP wrappers
1660591b689SDag-Erling Smørgrav
1670591b689SDag-Erling Smørgrav   Support for TCP wrappers was removed in upstream 6.7p1.  We've
1680591b689SDag-Erling Smørgrav   added it back by porting the 6.6p1 code forward.
1690591b689SDag-Erling Smørgrav
170e491358cSEd Maste   TCP wrappers support in sshd will be disabled in HEAD and will
171e491358cSEd Maste   be removed from FreeBSD in the future.
172e491358cSEd Maste
1739ded3306SDag-Erling Smørgrav6) Agent client reference counting
1740591b689SDag-Erling Smørgrav
1750591b689SDag-Erling Smørgrav   We've added code to ssh-agent.c to implement client reference
1760591b689SDag-Erling Smørgrav   counting; the agent will automatically exit when the last client
1770591b689SDag-Erling Smørgrav   disconnects.
1780591b689SDag-Erling Smørgrav
179*f3fd8850SEd Maste7) Class-based login restrictions (27ceebbc2402)
1800591b689SDag-Erling Smørgrav
181*f3fd8850SEd Maste   We've added code to auth.c to enforce the host.allow, host.deny,
182*f3fd8850SEd Maste   times.allow and times.deny login class capabilities, based on an
183*f3fd8850SEd Maste   upstream submission from
184*f3fd8850SEd Maste   https://github.com/openssh/openssh-portable/pull/262.
18535a03425SEd Maste
1869ded3306SDag-Erling Smørgrav8) HPN
1870591b689SDag-Erling Smørgrav
1880591b689SDag-Erling Smørgrav   We no longer have the HPN patches (adaptive buffer size for
1890591b689SDag-Erling Smørgrav   increased throughput on high-BxD links), but we recognize and
1900591b689SDag-Erling Smørgrav   ignore HPN-related configuration options to avoid breaking existing
1910591b689SDag-Erling Smørgrav   configurations.
1920591b689SDag-Erling Smørgrav
193ba11afccSDag-Erling Smørgrav
194ba11afccSDag-Erling Smørgrav
195ba11afccSDag-Erling SmørgravThis port was brought to you by (in no particular order) DARPA, NAI
1960085282bSDag-Erling SmørgravLabs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
197ba11afccSDag-Erling SmørgravSuzanne Vega, and a Sanford's #69 Deluxe Marker.
198ba11afccSDag-Erling Smørgrav
199ba11afccSDag-Erling Smørgrav					-- des@FreeBSD.org
200ba11afccSDag-Erling Smørgrav
201ba11afccSDag-Erling Smørgrav$FreeBSD$
202