freebsd-dev/crypto/openssh/FREEBSD-upgrade

	    FreeBSD maintainer's guide to OpenSSH-portable
	    ==============================================


0) Make sure your mail spool has plenty of free space.  It'll fill up
   pretty fast once you're done with this checklist.

1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
   site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)

2) Unpack the tarball in a suitable directory.

3) Remove trash:

	$ rm -rf $(cat FREEBSD-Xlist)

   Make sure that took care of everything, and if it didn't, make sure
   to update FREEBSD-Xlist so you won't miss it the next time.

4) Import the sources:

	$ cvs import src/crypto/openssh-portable OPENSSH OpenSSH_X_YpZ

5) Resolve conflicts.  Remember to bump the version number and
   addendum in version.h.

6) Generate configure and config.h.in:

	$ autoconf
	$ autoheader

   Note: this requires a recent version of autoconf, not autoconf213.

7) Run configure with the appropriate arguments:

	$ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
		--with-pam --with-opie --with-tcp-wrappers

   Note that we don't want to configure OpenSSH for Kerberos using
   configure since we have to be able to turn it on or off depending
   on the value of MAKE_KERBEROS[45].  Our Makefiles take care of
   this.

8) Commit the resulting config.h.  Make sure you don't accidentally
   commit any other files created by autoconf, autoheader or
   configure; they'll just clutter up the repo and cause trouble at
   the next upgrade.

9) Build and test.

A) Re-commit everything on freefall (you *did* use a test repo for
   this, didn't you?)



	  An overview of FreeBSD changes to OpenSSH-portable
	  ==================================================

0) VersionAddendum

   The SSH protocol allows for a human-readable version string of up
   to 40 characters to be appended to the protocol version string.
   FreeBSD takes advantage of this to include a date indicating the
   "patch level", so people can easily determine whether their system
   is vulnerable when an OpenSSH advisory goes out.  Some people,
   however, dislike advertising their patch level in the protocol
   handshake, so we've added a VersionAddendum configuration variable
   to allow them to change or disable it.

1) Modified server-side defaults

   We've modified some configuration defaults in sshd:

      - For protocol version 2, we don't load RSA host keys by
        default.  If both RSA and DSA keys are present, we prefer DSA
        to RSA.

      - LoginGraceTime defaults to 120 seconds instead of 600.

      - PermitRootLogin defaults to "no".

      - X11Forwarding defaults to "yes" (it's a threat to the client,
        not to the server.)

      - Unless the config file says otherwise, we automatically enable
        Kerberos support if an appropriate keytab is present.

      - PAMAuthenticationViaKbdInt defaults to "yes".

2) Modified client-side defaults

   We've modified some configuration defaults in ssh:

      - For protocol version 2, if both RSA and DSA keys are present,
        we prefer DSA to RSA.

      - CheckHostIP defaults to "no".

3) Canonic host names

   We've added code to ssh.c to canonicize the target host name after
   reading options but before trying to connect.  This eliminates the
   usual problem with duplicate known_hosts entries.

4) OPIE

   We've added support for using OPIE as a drop-in replacement for
   S/Key.

5) PAM

   We use our own PAM code, which wraps PAM in a KbdintDevice and
   works with privsep, instead of OpenSSH's own PAM code.

6) setusercontext() environment

   Our setusercontext(3) can set environment variables, which we must
   take care to transfer to the child's environment.



This port was brought to you by (in no particular order) DARPA, NAI
Labs, ThinkSec, Nescaf<61>, the Aberlour Glenlivet Distillery Co.,
Suzanne Vega, and a Sanford's #69 Deluxe Marker.

					-- des@FreeBSD.org

$FreeBSD$