xref: /freebsd/crypto/openssh/FREEBSD-upgrade (revision 2d0d168606f477d58d1a9aa72f94915da2f1733a) 
1
2
3	    FreeBSD maintainer's guide to OpenSSH-portable
4	    ==============================================
5
6XXX
7XXX this needs a complete rewrite
8XXX svn merge from vendor branch, resolve conflicts manually
9XXX   (see FREEBSD-tricks for tips on how to reduce conflicts)
10XXX run freebsd-configure.sh to generate config.h and krb5_config.h
11XXX svn diff Makefile.in to see if the Makefiles need adjusting
12XXX
13
140) Make sure your mail spool has plenty of free space.  It'll fill up
15   pretty fast once you're done with this checklist.
16
171) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
18   site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
19
202) Unpack the tarball in a suitable directory.
21
22	$ tar xf openssh-X.YpZ.tar.gz \
23		-X /usr/src/crypto/openssh/FREEBSD-Xlist
24
253) Remove trash:
26
27   Make sure -X took care of everything, and if it didn't, make sure
28   to update FREEBSD-Xlist so you won't miss it the next time.  A good
29   way to do this is to run a test import and see if any new files
30   show up:
31
32	$ cvs -n import src/crypto/openssh OPENSSH x | grep \^N
33
344) Import the sources:
35
36	$ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ
37
385) Resolve conflicts.  Remember to bump the version number and
39   addendum in version.h, and update the default value in
40   ssh{,d}_config and ssh{,d}_config.5.
41
426) Generate configure and config.h.in:
43
44	$ autoconf
45	$ autoheader
46
47   Note: this requires a recent version of autoconf, not autoconf213.
48
497) Run configure with the appropriate arguments:
50
51	$ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
52		--with-pam --with-tcp-wrappers --with-libedit \
53		--with-ssl-engine
54
55   This will regenerate config.h, which must be committed along with
56   the rest.
57
58   Note that we don't want to configure OpenSSH for Kerberos using
59   configure since we have to be able to turn it on or off depending
60   on the value of MK_KERBEROS.  Our Makefiles take care of this.
61
628) If source files have been added or removed, update the appropriate
63   makefiles to reflect changes in the vendor's Makefile.in.
64
659) Build libssh.  Follow the instructions in ssh_namespace.h to get a
66   list of new symbols.  Update ssh_namespace.h, build everything,
67   install and test.
68
69A) Build and test the pam_ssh PAM module.  It gropes around libssh's
70   internals and will break if something significant changes or if
71   ssh_namespace.h is out of whack.
72
73B) Re-commit everything on repoman (you *did* use a test repo for
74   this, didn't you?)
75
76
77
78	  An overview of FreeBSD changes to OpenSSH-portable
79	  ==================================================
80
810) VersionAddendum
82
83   The SSH protocol allows for a human-readable version string of up
84   to 40 characters to be appended to the protocol version string.
85   FreeBSD takes advantage of this to include a date indicating the
86   "patch level", so people can easily determine whether their system
87   is vulnerable when an OpenSSH advisory goes out.  Some people,
88   however, dislike advertising their patch level in the protocol
89   handshake, so we've added a VersionAddendum configuration variable
90   to allow them to change or disable it.
91
921) Modified server-side defaults
93
94   We've modified some configuration defaults in sshd:
95
96      - PasswordAuthentication defaults to "no".
97
98      - LoginGraceTime defaults to 120 seconds instead of 600.
99
100      - PermitRootLogin defaults to "no".
101
102      - X11Forwarding defaults to "yes" (it's a threat to the client,
103        not to the server.)
104
1052) Modified client-side defaults
106
107   We've modified some configuration defaults in ssh:
108
109      - CheckHostIP defaults to "no".
110
1113) Canonic host names
112
113   We've added code to ssh.c to canonicize the target host name after
114   reading options but before trying to connect.  This eliminates the
115   usual problem with duplicate known_hosts entries.
116
1174) setusercontext() environment
118
119   Our setusercontext(3) can set environment variables, which we must
120   take care to transfer to the child's environment.
121
122
123
124This port was brought to you by (in no particular order) DARPA, NAI
125Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
126Suzanne Vega, and a Sanford's #69 Deluxe Marker.
127
128					-- des@FreeBSD.org
129
130$FreeBSD$
131