freebsd-nq/crypto/openssh/FREEBSD-upgrade
Ed Maste 952d18a214 ssh: Remove AES-CBC ciphers from default server and client lists
A base system OpenSSH update in 2016 or so removed a number of ciphers
from the default lists offered by the server/client, due to known
weaknesses.  This caused POLA issues for some users and prompted
PR207679; the ciphers were restored to the default lists in r296634.

When upstream removed these ciphers from the default server list, they
moved them to the client-only default list.  They were subsequently
removed from the client default, in OpenSSH 7.9p1.

The change has persisted long enough.  Remove these extra ciphers from
both the server and client default lists, in advance of FreeBSD 13.

Reviewed by:	markm, rgrimes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25833
2020-07-28 00:24:12 +00:00

180 lines
5.7 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

FreeBSD maintainer's guide to OpenSSH-portable
==============================================
00) Make sure your mail spool has plenty of free space. It'll fill up
pretty fast once you're done with this checklist.
01) Download the latest OpenSSH-portable tarball and signature from
OpenBSD (https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/).
02) Verify the signature:
$ gpg --verify openssh-X.YpZ.tar.gz.asc
03) Unpack the tarball in a suitable directory:
$ tar xf openssh-X.YpZ.tar.gz
04) Copy to the vendor directory:
$ svn co svn+ssh://repo.freebsd.org/base/vendor-crypto/openssh/dist
$ rsync --archive --delete openssh-X.YpZ/ dist/
05) Take care of added / deleted files:
$ svn rm $(svn stat dist | awk '$1 == "!" { print $2 }')
$ svn add --no-auto-props $(svn stat dist | awk '$1 == "?" { print $2 }')
06) Commit:
$ svn commit -m "Vendor import of OpenSSH X.YpZ." dist
07) Tag:
$ svn copy -m "Tag OpenSSH X.YpZ." \
svn+ssh://repo.freebsd.org/base/vendor-crypto/openssh/dist \
svn+ssh://repo.freebsd.org/base/vendor-crypto/openssh/X.YpZ
08) Check out head and run the pre-merge script, which strips our RCS
tags from files that have them:
$ svn co svn+ssh://repo.freebsd.org/base/head
$ cd head/crypto/openssh
$ sh freebsd-pre-merge.sh
09) Merge from the vendor branch:
$ svn merge -cNNNNNN \^/vendor-crypto/openssh/dist .
A number of files have been deleted from FreeBSD's copy of ssh,
including rendered man pages (which have a .0 extension). When
svn prompts for these deleted files during the merge, choose 'r'
(leaving them deleted).
0A) Resolve conflicts. Remember to bump the version addendum in
version.h, and update the default value in ssh{,d}_config and
ssh{,d}_config.5.
0B) Diff against the vendor branch:
$ svn diff --no-diff-deleted --no-diff-added \
--ignore-properties \^/vendor-crypto/openssh/X.YpZ .
Files that have modifications relative to the vendor code, and
only those files, must have the svn:keywords property set to
FreeBSD=%H and be listed in the 'keywords' file created by the
pre-merge script.
0C) Run the post-merge script, which re-adds RCS tags to files that
need them:
$ sh freebsd-post-merge.sh
0D) Run the configure script:
$ sh freebsd-configure.sh
0E) Review changes to config.h very carefully.
Note that libwrap should not be defined in config.h; as of
r311585 it is conditional on MK_TCP_WRAPPERS.
0F) If source files have been added or removed, update the appropriate
makefiles to reflect changes in the vendor's Makefile.in.
10) Update ssh_namespace.h:
$ sh freebsd-namespace.sh
11) Build and install world, reboot, test. Pay particular attention
to pam_ssh(8), which gropes inside libssh and will break if
something significant changes or if ssh_namespace.h is out of
whack.
12) Commit, and hunker down for the inevitable storm of complaints.
An overview of FreeBSD changes to OpenSSH-portable
==================================================
0) VersionAddendum
The SSH protocol allows for a human-readable version string of up
to 40 characters to be appended to the protocol version string.
FreeBSD takes advantage of this to include a date indicating the
"patch level", so people can easily determine whether their system
is vulnerable when an OpenSSH advisory goes out. Some people,
however, dislike advertising their patch level in the protocol
handshake, so we've added a VersionAddendum configuration variable
to allow them to change or disable it. Upstream added support for
VersionAddendum on the server side, but we also support it on the
client side.
1) Modified server-side defaults
We've modified some configuration defaults in sshd:
- UsePAM defaults to "yes".
- PermitRootLogin defaults to "no".
- X11Forwarding defaults to "yes".
- PasswordAuthentication defaults to "no".
- VersionAddendum defaults to "FreeBSD-YYYYMMDD".
- PrivilegeSeparation defaults to "sandbox".
- UseDNS defaults to "yes".
2) Modified client-side defaults
We've modified some configuration defaults in ssh:
- CheckHostIP defaults to "no".
- VerifyHostKeyDNS defaults to "yes" if built with LDNS.
- VersionAddendum defaults to "FreeBSD-YYYYMMDD".
3) Canonic host names
We've added code to ssh.c to canonicize the target host name after
reading options but before trying to connect. This eliminates the
usual problem with duplicate known_hosts entries.
4) setusercontext() environment
Our setusercontext(3) can set environment variables, which we must
take care to transfer to the child's environment.
5) TCP wrappers
Support for TCP wrappers was removed in upstream 6.7p1. We've
added it back by porting the 6.6p1 code forward.
TCP wrappers support in sshd will be disabled in HEAD and will
be removed from FreeBSD in the future.
6) Agent client reference counting
We've added code to ssh-agent.c to implement client reference
counting; the agent will automatically exit when the last client
disconnects.
7) Class-based login restrictions
We've added code to auth2.c to enforce the host.allow, host.deny,
times.allow and times.deny login class capabilities.
8) HPN
We no longer have the HPN patches (adaptive buffer size for
increased throughput on high-BxD links), but we recognize and
ignore HPN-related configuration options to avoid breaking existing
configurations.
This port was brought to you by (in no particular order) DARPA, NAI
Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
Suzanne Vega, and a Sanford's #69 Deluxe Marker.
-- des@FreeBSD.org
$FreeBSD$