0085282b6a
repeat performance by introducing a script that runs configure with and without Kerberos, diffs the result and generates krb5_config.h, which contains the preprocessor macros that need to be defined in the Kerberos case and undefined otherwise. Approved by: re (marius)
131 lines
4.1 KiB
Plaintext
131 lines
4.1 KiB
Plaintext
|
||
|
||
FreeBSD maintainer's guide to OpenSSH-portable
|
||
==============================================
|
||
|
||
XXX
|
||
XXX this needs a complete rewrite
|
||
XXX svn merge from vendor branch, resolve conflicts manually
|
||
XXX (see FREEBSD-tricks for tips on how to reduce conflicts)
|
||
XXX run freebsd-configure.sh to generate config.h and krb5_config.h
|
||
XXX svn diff Makefile.in to see if the Makefiles need adjusting
|
||
XXX
|
||
|
||
0) Make sure your mail spool has plenty of free space. It'll fill up
|
||
pretty fast once you're done with this checklist.
|
||
|
||
1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
|
||
site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
|
||
|
||
2) Unpack the tarball in a suitable directory.
|
||
|
||
$ tar xf openssh-X.YpZ.tar.gz \
|
||
-X /usr/src/crypto/openssh/FREEBSD-Xlist
|
||
|
||
3) Remove trash:
|
||
|
||
Make sure -X took care of everything, and if it didn't, make sure
|
||
to update FREEBSD-Xlist so you won't miss it the next time. A good
|
||
way to do this is to run a test import and see if any new files
|
||
show up:
|
||
|
||
$ cvs -n import src/crypto/openssh OPENSSH x | grep \^N
|
||
|
||
4) Import the sources:
|
||
|
||
$ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ
|
||
|
||
5) Resolve conflicts. Remember to bump the version number and
|
||
addendum in version.h, and update the default value in
|
||
ssh{,d}_config and ssh{,d}_config.5.
|
||
|
||
6) Generate configure and config.h.in:
|
||
|
||
$ autoconf
|
||
$ autoheader
|
||
|
||
Note: this requires a recent version of autoconf, not autoconf213.
|
||
|
||
7) Run configure with the appropriate arguments:
|
||
|
||
$ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
|
||
--with-pam --with-tcp-wrappers --with-libedit \
|
||
--with-ssl-engine
|
||
|
||
This will regenerate config.h, which must be committed along with
|
||
the rest.
|
||
|
||
Note that we don't want to configure OpenSSH for Kerberos using
|
||
configure since we have to be able to turn it on or off depending
|
||
on the value of MK_KERBEROS. Our Makefiles take care of this.
|
||
|
||
8) If source files have been added or removed, update the appropriate
|
||
makefiles to reflect changes in the vendor's Makefile.in.
|
||
|
||
9) Build libssh. Follow the instructions in ssh_namespace.h to get a
|
||
list of new symbols. Update ssh_namespace.h, build everything,
|
||
install and test.
|
||
|
||
A) Build and test the pam_ssh PAM module. It gropes around libssh's
|
||
internals and will break if something significant changes or if
|
||
ssh_namespace.h is out of whack.
|
||
|
||
B) Re-commit everything on repoman (you *did* use a test repo for
|
||
this, didn't you?)
|
||
|
||
|
||
|
||
An overview of FreeBSD changes to OpenSSH-portable
|
||
==================================================
|
||
|
||
0) VersionAddendum
|
||
|
||
The SSH protocol allows for a human-readable version string of up
|
||
to 40 characters to be appended to the protocol version string.
|
||
FreeBSD takes advantage of this to include a date indicating the
|
||
"patch level", so people can easily determine whether their system
|
||
is vulnerable when an OpenSSH advisory goes out. Some people,
|
||
however, dislike advertising their patch level in the protocol
|
||
handshake, so we've added a VersionAddendum configuration variable
|
||
to allow them to change or disable it.
|
||
|
||
1) Modified server-side defaults
|
||
|
||
We've modified some configuration defaults in sshd:
|
||
|
||
- PasswordAuthentication defaults to "no".
|
||
|
||
- LoginGraceTime defaults to 120 seconds instead of 600.
|
||
|
||
- PermitRootLogin defaults to "no".
|
||
|
||
- X11Forwarding defaults to "yes" (it's a threat to the client,
|
||
not to the server.)
|
||
|
||
2) Modified client-side defaults
|
||
|
||
We've modified some configuration defaults in ssh:
|
||
|
||
- CheckHostIP defaults to "no".
|
||
|
||
3) Canonic host names
|
||
|
||
We've added code to ssh.c to canonicize the target host name after
|
||
reading options but before trying to connect. This eliminates the
|
||
usual problem with duplicate known_hosts entries.
|
||
|
||
4) setusercontext() environment
|
||
|
||
Our setusercontext(3) can set environment variables, which we must
|
||
take care to transfer to the child's environment.
|
||
|
||
|
||
|
||
This port was brought to you by (in no particular order) DARPA, NAI
|
||
Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
|
||
Suzanne Vega, and a Sanford's #69 Deluxe Marker.
|
||
|
||
-- des@FreeBSD.org
|
||
|
||
$FreeBSD$
|