2002-06-29 10:39:14 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
FreeBSD maintainer's guide to OpenSSH-portable
|
|
|
|
|
==============================================
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0) Make sure your mail spool has plenty of free space. It'll fill up
|
|
|
|
|
pretty fast once you're done with this checklist.
|
|
|
|
|
|
|
|
|
|
1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
|
|
|
|
|
site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
|
|
|
|
|
|
|
|
|
|
2) Unpack the tarball in a suitable directory.
|
|
|
|
|
|
2008-02-06 23:14:24 +00:00
|
|
|
|
$ tar xf openssh-X.YpZ.tar.gz \
|
|
|
|
|
-X /usr/src/crypto/openssh/FREEBSD-Xlist
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2008-02-06 23:14:24 +00:00
|
|
|
|
3) Remove trash:
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2008-02-06 23:14:24 +00:00
|
|
|
|
Make sure -X took care of everything, and if it didn't, make sure
|
2004-01-07 11:51:18 +00:00
|
|
|
|
to update FREEBSD-Xlist so you won't miss it the next time. A good
|
|
|
|
|
way to do this is to run a test import and see if any new files
|
|
|
|
|
show up:
|
|
|
|
|
|
|
|
|
|
$ cvs -n import src/crypto/openssh OPENSSH x | grep \^N
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
|
|
|
|
4) Import the sources:
|
|
|
|
|
|
2002-09-09 02:00:28 +00:00
|
|
|
|
$ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
|
|
|
|
5) Resolve conflicts. Remember to bump the version number and
|
2004-01-07 11:51:18 +00:00
|
|
|
|
addendum in version.h, and update the default value in
|
|
|
|
|
ssh{,d}_config and ssh{,d}_config.5.
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
|
|
|
|
6) Generate configure and config.h.in:
|
|
|
|
|
|
|
|
|
|
$ autoconf
|
|
|
|
|
$ autoheader
|
|
|
|
|
|
|
|
|
|
Note: this requires a recent version of autoconf, not autoconf213.
|
|
|
|
|
|
|
|
|
|
7) Run configure with the appropriate arguments:
|
|
|
|
|
|
|
|
|
|
$ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
|
2006-10-02 12:39:28 +00:00
|
|
|
|
--with-pam --with-tcp-wrappers --with-libedit \
|
|
|
|
|
--with-ssl-engine
|
|
|
|
|
|
|
|
|
|
This will regenerate config.h, which must be committed along with
|
|
|
|
|
the rest.
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
|
|
|
|
Note that we don't want to configure OpenSSH for Kerberos using
|
|
|
|
|
configure since we have to be able to turn it on or off depending
|
2006-03-17 18:54:44 +00:00
|
|
|
|
on the value of MK_KERBEROS. Our Makefiles take care of this.
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2006-10-02 12:39:28 +00:00
|
|
|
|
8) If source files have been added or removed, update the appropriate
|
|
|
|
|
makefiles to reflect changes in the vendor's Makefile.in.
|
|
|
|
|
|
|
|
|
|
9) Build libssh. Follow the instructions in ssh_namespace.h to get a
|
|
|
|
|
list of new symbols. Update ssh_namespace.h, build everything,
|
|
|
|
|
install and test.
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2006-10-02 12:39:28 +00:00
|
|
|
|
A) Build and test the pam_ssh PAM module. It gropes around libssh's
|
|
|
|
|
internals and will break if something significant changes or if
|
|
|
|
|
ssh_namespace.h is out of whack.
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2006-10-02 12:39:28 +00:00
|
|
|
|
B) Re-commit everything on repoman (you *did* use a test repo for
|
2002-06-29 10:39:14 +00:00
|
|
|
|
this, didn't you?)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
An overview of FreeBSD changes to OpenSSH-portable
|
|
|
|
|
==================================================
|
|
|
|
|
|
|
|
|
|
0) VersionAddendum
|
|
|
|
|
|
|
|
|
|
The SSH protocol allows for a human-readable version string of up
|
|
|
|
|
to 40 characters to be appended to the protocol version string.
|
|
|
|
|
FreeBSD takes advantage of this to include a date indicating the
|
|
|
|
|
"patch level", so people can easily determine whether their system
|
|
|
|
|
is vulnerable when an OpenSSH advisory goes out. Some people,
|
|
|
|
|
however, dislike advertising their patch level in the protocol
|
|
|
|
|
handshake, so we've added a VersionAddendum configuration variable
|
|
|
|
|
to allow them to change or disable it.
|
|
|
|
|
|
|
|
|
|
1) Modified server-side defaults
|
|
|
|
|
|
|
|
|
|
We've modified some configuration defaults in sshd:
|
|
|
|
|
|
2004-02-26 10:57:28 +00:00
|
|
|
|
- PasswordAuthentication defaults to "no" when PAM is enabled.
|
|
|
|
|
|
2002-06-29 10:39:14 +00:00
|
|
|
|
- For protocol version 2, we don't load RSA host keys by
|
|
|
|
|
default. If both RSA and DSA keys are present, we prefer DSA
|
|
|
|
|
to RSA.
|
|
|
|
|
|
|
|
|
|
- LoginGraceTime defaults to 120 seconds instead of 600.
|
|
|
|
|
|
|
|
|
|
- PermitRootLogin defaults to "no".
|
|
|
|
|
|
|
|
|
|
- X11Forwarding defaults to "yes" (it's a threat to the client,
|
|
|
|
|
not to the server.)
|
|
|
|
|
|
|
|
|
|
2) Modified client-side defaults
|
|
|
|
|
|
|
|
|
|
We've modified some configuration defaults in ssh:
|
|
|
|
|
|
|
|
|
|
- For protocol version 2, if both RSA and DSA keys are present,
|
|
|
|
|
we prefer DSA to RSA.
|
|
|
|
|
|
|
|
|
|
- CheckHostIP defaults to "no".
|
|
|
|
|
|
|
|
|
|
3) Canonic host names
|
|
|
|
|
|
|
|
|
|
We've added code to ssh.c to canonicize the target host name after
|
|
|
|
|
reading options but before trying to connect. This eliminates the
|
|
|
|
|
usual problem with duplicate known_hosts entries.
|
|
|
|
|
|
2008-08-01 00:28:50 +00:00
|
|
|
|
4) setusercontext() environment
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
|
|
|
|
Our setusercontext(3) can set environment variables, which we must
|
|
|
|
|
take care to transfer to the child's environment.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This port was brought to you by (in no particular order) DARPA, NAI
|
|
|
|
|
Labs, ThinkSec, Nescaf<61>, the Aberlour Glenlivet Distillery Co.,
|
|
|
|
|
Suzanne Vega, and a Sanford's #69 Deluxe Marker.
|
|
|
|
|
|
|
|
|
|
-- des@FreeBSD.org
|
|
|
|
|
|
|
|
|
|
$FreeBSD$
|