freebsd-dev/crypto/openssh/FREEBSD-upgrade
Dag-Erling Smørgrav e66498cd40 Update configure options and add some missing steps.
The section about our local changes needs reviewing, and some of those
changes should probably be reconsidered (such as preferring DSA over RSA,
which made sense when RSA was encumbered but probably doesn't any more)
2006-10-02 12:39:28 +00:00

138 lines
4.2 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

FreeBSD maintainer's guide to OpenSSH-portable
==============================================
0) Make sure your mail spool has plenty of free space. It'll fill up
pretty fast once you're done with this checklist.
1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
2) Unpack the tarball in a suitable directory.
3) Remove trash:
$ sh -c 'while read glob ; do rm -rvf $glob ; done' \
</usr/src/crypto/openssh/FREEBSD-Xlist
Make sure that took care of everything, and if it didn't, make sure
to update FREEBSD-Xlist so you won't miss it the next time. A good
way to do this is to run a test import and see if any new files
show up:
$ cvs -n import src/crypto/openssh OPENSSH x | grep \^N
4) Import the sources:
$ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ
5) Resolve conflicts. Remember to bump the version number and
addendum in version.h, and update the default value in
ssh{,d}_config and ssh{,d}_config.5.
6) Generate configure and config.h.in:
$ autoconf
$ autoheader
Note: this requires a recent version of autoconf, not autoconf213.
7) Run configure with the appropriate arguments:
$ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
--with-pam --with-tcp-wrappers --with-libedit \
--with-ssl-engine
This will regenerate config.h, which must be committed along with
the rest.
Note that we don't want to configure OpenSSH for Kerberos using
configure since we have to be able to turn it on or off depending
on the value of MK_KERBEROS. Our Makefiles take care of this.
8) If source files have been added or removed, update the appropriate
makefiles to reflect changes in the vendor's Makefile.in.
9) Build libssh. Follow the instructions in ssh_namespace.h to get a
list of new symbols. Update ssh_namespace.h, build everything,
install and test.
A) Build and test the pam_ssh PAM module. It gropes around libssh's
internals and will break if something significant changes or if
ssh_namespace.h is out of whack.
B) Re-commit everything on repoman (you *did* use a test repo for
this, didn't you?)
An overview of FreeBSD changes to OpenSSH-portable
==================================================
0) VersionAddendum
The SSH protocol allows for a human-readable version string of up
to 40 characters to be appended to the protocol version string.
FreeBSD takes advantage of this to include a date indicating the
"patch level", so people can easily determine whether their system
is vulnerable when an OpenSSH advisory goes out. Some people,
however, dislike advertising their patch level in the protocol
handshake, so we've added a VersionAddendum configuration variable
to allow them to change or disable it.
1) Modified server-side defaults
We've modified some configuration defaults in sshd:
- Protocol defaults to "2".
- PasswordAuthentication defaults to "no" when PAM is enabled.
- For protocol version 2, we don't load RSA host keys by
default. If both RSA and DSA keys are present, we prefer DSA
to RSA.
- LoginGraceTime defaults to 120 seconds instead of 600.
- PermitRootLogin defaults to "no".
- X11Forwarding defaults to "yes" (it's a threat to the client,
not to the server.)
2) Modified client-side defaults
We've modified some configuration defaults in ssh:
- For protocol version 2, if both RSA and DSA keys are present,
we prefer DSA to RSA.
- CheckHostIP defaults to "no".
3) Canonic host names
We've added code to ssh.c to canonicize the target host name after
reading options but before trying to connect. This eliminates the
usual problem with duplicate known_hosts entries.
4) OPIE
We've added support for using OPIE as a drop-in replacement for
S/Key.
5) setusercontext() environment
Our setusercontext(3) can set environment variables, which we must
take care to transfer to the child's environment.
This port was brought to you by (in no particular order) DARPA, NAI
Labs, ThinkSec, Nescaf<61>, the Aberlour Glenlivet Distillery Co.,
Suzanne Vega, and a Sanford's #69 Deluxe Marker.
-- des@FreeBSD.org
$FreeBSD$