1 2 3 FreeBSD maintainer's guide to OpenSSH-portable 4 ============================================== 5 6 70) Make sure your mail spool has plenty of free space. It'll fill up 8 pretty fast once you're done with this checklist. 9 101) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP 11 site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) 12 132) Unpack the tarball in a suitable directory. 14 153) Remove trash: 16 17 $ rm -rf $(cat FREEBSD-Xlist) 18 19 Make sure that took care of everything, and if it didn't, make sure 20 to update FREEBSD-Xlist so you won't miss it the next time. 21 224) Import the sources: 23 24 $ cvs import src/crypto/openssh-portable OPENSSH OpenSSH_X_YpZ 25 265) Resolve conflicts. Remember to bump the version number and 27 addendum in version.h. 28 296) Generate configure and config.h.in: 30 31 $ autoconf 32 $ autoheader 33 34 Note: this requires a recent version of autoconf, not autoconf213. 35 367) Run configure with the appropriate arguments: 37 38 $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ 39 --with-pam --with-tcp-wrappers 40 41 Note that we don't want to configure OpenSSH for Kerberos using 42 configure since we have to be able to turn it on or off depending 43 on the value of MAKE_KERBEROS[45]. Our Makefiles take care of 44 this. 45 468) Commit the resulting config.h. Make sure you don't accidentally 47 commit any other files created by autoconf, autoheader or 48 configure; they'll just clutter up the repo and cause trouble at 49 the next upgrade. 50 519) Build and test. 52 53A) Re-commit everything on freefall (you *did* use a test repo for 54 this, didn't you?) 55 56 57 58 An overview of FreeBSD changes to OpenSSH-portable 59 ================================================== 60 610) VersionAddendum 62 63 The SSH protocol allows for a human-readable version string of up 64 to 40 characters to be appended to the protocol version string. 65 FreeBSD takes advantage of this to include a date indicating the 66 "patch level", so people can easily determine whether their system 67 is vulnerable when an OpenSSH advisory goes out. Some people, 68 however, dislike advertising their patch level in the protocol 69 handshake, so we've added a VersionAddendum configuration variable 70 to allow them to change or disable it. 71 721) Modified server-side defaults 73 74 We've modified some configuration defaults in sshd: 75 76 - For protocol version 2, we don't load RSA host keys by 77 default. If both RSA and DSA keys are present, we prefer DSA 78 to RSA. 79 80 - LoginGraceTime defaults to 120 seconds instead of 600. 81 82 - PermitRootLogin defaults to "no". 83 84 - X11Forwarding defaults to "yes" (it's a threat to the client, 85 not to the server.) 86 87 - Unless the config file says otherwise, we automatically enable 88 Kerberos support if an appropriate keytab is present. 89 90 - PAMAuthenticationViaKbdInt defaults to "yes". 91 922) Modified client-side defaults 93 94 We've modified some configuration defaults in ssh: 95 96 - For protocol version 2, if both RSA and DSA keys are present, 97 we prefer DSA to RSA. 98 99 - CheckHostIP defaults to "no". 100 1013) Canonic host names 102 103 We've added code to ssh.c to canonicize the target host name after 104 reading options but before trying to connect. This eliminates the 105 usual problem with duplicate known_hosts entries. 106 1074) OPIE 108 109 We've added support for using OPIE as a drop-in replacement for 110 S/Key. 111 1125) PAM 113 114 We use our own PAM code, which wraps PAM in a KbdintDevice and 115 works with privsep, instead of OpenSSH's own PAM code. 116 1176) setusercontext() environment 118 119 Our setusercontext(3) can set environment variables, which we must 120 take care to transfer to the child's environment. 121 122 123 124This port was brought to you by (in no particular order) DARPA, NAI 125Labs, ThinkSec, Nescaf�, the Aberlour Glenlivet Distillery Co., 126Suzanne Vega, and a Sanford's #69 Deluxe Marker. 127 128 -- des@FreeBSD.org 129 130$FreeBSD$ 131