d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
38a52bd3b5
freebsd-nq/crypto/openssh/FREEBSD-upgrade
Ed Maste fca7ac55f8 ssh: remove pre- and post-merge update steps 
We no longer use the pre- and post-merge scripts to strip/add RCS tags.
The tags have been removed from main, but persist on older branches.

While here renumber the steps in the update documentation using a more
conventional scheme.

Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D36904
2022-10-12 13:54:08 -04:00

179 lines
5.7 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

FreeBSD maintainer's guide to OpenSSH-portable
==============================================
These instructions assume you have a clone of the FreeBSD git repo
main branch in src/freebsd/main, and will store vendor trees under
src/freebsd/vendor/. In addition, this assumes there is a "freebsd"
origin pointing to git(repo).freebsd.org/src.git.
01) Make sure your mail spool has plenty of free space. It'll fill up
pretty fast once you're done with this checklist.
02) Download the latest OpenSSH-portable tarball and signature from
OpenBSD (https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/).
03) Verify the signature:
$ gpg --verify openssh-X.YpZ.tar.gz.asc
04) Unpack the tarball in a suitable directory:
$ tar xf openssh-X.YpZ.tar.gz
05) Copy to a vendor branch:
$ cd src/freebsd/main
$ git worktree add ../vendor/openssh freebsd/vendor/openssh
$ cd ../vendor/openssh
$ rsync --archive --delete --exclude=.git /path/to/openssh-X.YpZ/ ./
06) Take care of added / deleted files:
$ git add -A
07) Commit:
$ git commit -m "Vendor import of OpenSSH X.YpZ"
08) Tag:
$ git tag -a -m "Tag OpenSSH X.YpZ" vendor/openssh/X.YpZ
At this point the vendor branch can be pushed to the FreeBSD repo via:
$ git push freebsd vendor/openssh
$ git push freebsd vendor/openssh/X.YpZ
Note the second "git push" command is used to push the tag, which is
not pushed by default.
It is also possible to push the branch and tag together, but use
--dry-run first to ensure that no undesired tags will be pushed:
$ git push --dry-run --follow-tags freebsd vendor/openssh
$ git push --follow-tags freebsd vendor/openssh
The update and tag could instead be pushed later, along with the merge
to main, but pushing now allows others to collaborate.
09) Merge from the vendor branch:
$ git subtree merge -P crypto/openssh vendor/openssh
A number of files have been deleted from FreeBSD's copy of ssh,
including rendered man pages (which have a .0 extension). When
git prompts for these deleted files during the merge, choose 'd'
(leaving them deleted).
10) Resolve conflicts. Remember to bump the version addendum in
version.h, and update the default value in ssh{,d}_config and
ssh{,d}_config.5.
11) Diff against the vendor branch:
$ git diff --diff-filter=M vendor/openssh/X.YpZ HEAD:crypto/openssh
Files that have modifications relative to the vendor code, and
only those files, must have the svn:keywords property set to
FreeBSD=%H and be listed in the 'keywords' file created by the
pre-merge script.
12) Run the configure script:
$ sh freebsd-configure.sh
13) Review changes to config.h very carefully.
Note that libwrap should not be defined in config.h; as of
r311585 (233932cc2a60) it is conditional on MK_TCP_WRAPPERS.
14) If source files have been added or removed, update the appropriate
makefiles to reflect changes in the vendor's Makefile.in.
15) Update ssh_namespace.h:
$ sh freebsd-namespace.sh
16) Build and install world, reboot, test. Pay particular attention
to pam_ssh(8), which gropes inside libssh and will break if
something significant changes or if ssh_namespace.h is out of
whack.
17) Check for references to obsolete configuration options
(e.g., ChallengeResponseAuthentication in sshd_config) which
may exist in release/ scripts.
18) Commit, and hunker down for the inevitable storm of complaints.
An overview of FreeBSD changes to OpenSSH-portable
==================================================
1) Modified server-side defaults
We've modified some configuration defaults in sshd:
- UsePAM defaults to "yes".
- PermitRootLogin defaults to "no".
- X11Forwarding defaults to "yes".
- PasswordAuthentication defaults to "no".
- VersionAddendum defaults to "FreeBSD-YYYYMMDD".
- PrivilegeSeparation defaults to "sandbox".
- UseDNS defaults to "yes".
2) Modified client-side defaults
We've modified some configuration defaults in ssh:
- CheckHostIP defaults to "no".
- VerifyHostKeyDNS defaults to "yes" if built with LDNS.
- VersionAddendum defaults to "FreeBSD-YYYYMMDD".
3) Canonic host names
We've added code to ssh.c to canonicize the target host name after
reading options but before trying to connect. This eliminates the
usual problem with duplicate known_hosts entries.
4) setusercontext() environment
Our setusercontext(3) can set environment variables, which we must
take care to transfer to the child's environment.
5) TCP wrappers
Support for TCP wrappers was removed in upstream 6.7p1. We've
added it back by porting the 6.6p1 code forward.
TCP wrappers support in sshd will be disabled in HEAD and will
be removed from FreeBSD in the future.
6) Agent client reference counting
We've added code to ssh-agent.c to implement client reference
counting; the agent will automatically exit when the last client
disconnects.
7) Class-based login restrictions (27ceebbc2402)
We've added code to auth.c to enforce the host.allow, host.deny,
times.allow and times.deny login class capabilities, based on an
upstream submission from
https://github.com/openssh/openssh-portable/pull/262.
8) Retired patches
We no longer have HPN patches (adaptive buffer size for increased
throughput on high-BxD links) or client-side VersionAddendum, but we
recognize and ignore the configuration options to avoid breaking
existing configurations.
This port was brought to you by (in no particular order) DARPA, NAI
Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
Suzanne Vega, and a Sanford's #69 Deluxe Marker.
-- des@FreeBSD.org
Reference in New Issue View Git Blame Copy Permalink