Document the upgrade process.
This commit is contained in:
parent
2e3e4630c5
commit
ba11afcc21
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=99045
130
crypto/openssh/FREEBSD-upgrade
Normal file
130
crypto/openssh/FREEBSD-upgrade
Normal file
@ -0,0 +1,130 @@
|
||||
|
||||
|
||||
FreeBSD maintainer's guide to OpenSSH-portable
|
||||
==============================================
|
||||
|
||||
|
||||
0) Make sure your mail spool has plenty of free space. It'll fill up
|
||||
pretty fast once you're done with this checklist.
|
||||
|
||||
1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
|
||||
site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
|
||||
|
||||
2) Unpack the tarball in a suitable directory.
|
||||
|
||||
3) Remove trash:
|
||||
|
||||
$ rm -rf $(cat FREEBSD-Xlist)
|
||||
|
||||
Make sure that took care of everything, and if it didn't, make sure
|
||||
to update FREEBSD-Xlist so you won't miss it the next time.
|
||||
|
||||
4) Import the sources:
|
||||
|
||||
$ cvs import src/crypto/openssh-portable OPENSSH OpenSSH_X_YpZ
|
||||
|
||||
5) Resolve conflicts. Remember to bump the version number and
|
||||
addendum in version.h.
|
||||
|
||||
6) Generate configure and config.h.in:
|
||||
|
||||
$ autoconf
|
||||
$ autoheader
|
||||
|
||||
Note: this requires a recent version of autoconf, not autoconf213.
|
||||
|
||||
7) Run configure with the appropriate arguments:
|
||||
|
||||
$ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
|
||||
--with-pam --with-opie --with-tcp-wrappers
|
||||
|
||||
Note that we don't want to configure OpenSSH for Kerberos using
|
||||
configure since we have to be able to turn it on or off depending
|
||||
on the value of MAKE_KERBEROS[45]. Our Makefiles take care of
|
||||
this.
|
||||
|
||||
8) Commit the resulting config.h. Make sure you don't accidentally
|
||||
commit any other files created by autoconf, autoheader or
|
||||
configure; they'll just clutter up the repo and cause trouble at
|
||||
the next upgrade.
|
||||
|
||||
9) Build and test.
|
||||
|
||||
A) Re-commit everything on freefall (you *did* use a test repo for
|
||||
this, didn't you?)
|
||||
|
||||
|
||||
|
||||
An overview of FreeBSD changes to OpenSSH-portable
|
||||
==================================================
|
||||
|
||||
0) VersionAddendum
|
||||
|
||||
The SSH protocol allows for a human-readable version string of up
|
||||
to 40 characters to be appended to the protocol version string.
|
||||
FreeBSD takes advantage of this to include a date indicating the
|
||||
"patch level", so people can easily determine whether their system
|
||||
is vulnerable when an OpenSSH advisory goes out. Some people,
|
||||
however, dislike advertising their patch level in the protocol
|
||||
handshake, so we've added a VersionAddendum configuration variable
|
||||
to allow them to change or disable it.
|
||||
|
||||
1) Modified server-side defaults
|
||||
|
||||
We've modified some configuration defaults in sshd:
|
||||
|
||||
- For protocol version 2, we don't load RSA host keys by
|
||||
default. If both RSA and DSA keys are present, we prefer DSA
|
||||
to RSA.
|
||||
|
||||
- LoginGraceTime defaults to 120 seconds instead of 600.
|
||||
|
||||
- PermitRootLogin defaults to "no".
|
||||
|
||||
- X11Forwarding defaults to "yes" (it's a threat to the client,
|
||||
not to the server.)
|
||||
|
||||
- Unless the config file says otherwise, we automatically enable
|
||||
Kerberos support if an appropriate keytab is present.
|
||||
|
||||
- PAMAuthenticationViaKbdInt defaults to "yes".
|
||||
|
||||
2) Modified client-side defaults
|
||||
|
||||
We've modified some configuration defaults in ssh:
|
||||
|
||||
- For protocol version 2, if both RSA and DSA keys are present,
|
||||
we prefer DSA to RSA.
|
||||
|
||||
- CheckHostIP defaults to "no".
|
||||
|
||||
3) Canonic host names
|
||||
|
||||
We've added code to ssh.c to canonicize the target host name after
|
||||
reading options but before trying to connect. This eliminates the
|
||||
usual problem with duplicate known_hosts entries.
|
||||
|
||||
4) OPIE
|
||||
|
||||
We've added support for using OPIE as a drop-in replacement for
|
||||
S/Key.
|
||||
|
||||
5) PAM
|
||||
|
||||
We use our own PAM code, which wraps PAM in a KbdintDevice and
|
||||
works with privsep, instead of OpenSSH's own PAM code.
|
||||
|
||||
6) setusercontext() environment
|
||||
|
||||
Our setusercontext(3) can set environment variables, which we must
|
||||
take care to transfer to the child's environment.
|
||||
|
||||
|
||||
|
||||
This port was brought to you by (in no particular order) DARPA, NAI
|
||||
Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
|
||||
Suzanne Vega, and a Sanford's #69 Deluxe Marker.
|
||||
|
||||
-- des@FreeBSD.org
|
||||
|
||||
$FreeBSD$
|
Loading…
Reference in New Issue
Block a user