d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update the instructions and the list of major local modifications.

Browse Source
This commit is contained in:
des 2016-01-21 12:42:31 +00:00
parent e5b44dd19f
commit 316c45f5be
1 changed files with 47 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
crypto/openssh/FREEBSD-upgrade
View File

@ -1,5 +1,4 @@
FreeBSD maintainer's guide to OpenSSH-portable FreeBSD maintainer's guide to OpenSSH-portable
============================================== ==============================================
@ -34,10 +33,11 @@
07) Tag: 07) Tag:
$ svn copy -m "Tag OpenSSH X.YpZ." \ $ svn copy -m "Tag OpenSSH X.YpZ." \
svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist \ svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist \
svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/X.YpZ svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/X.YpZ
08) Check out head and run the pre-merge script: 08) Check out head and run the pre-merge script, which strips our RCS
tags from files that have them:
$ svn co svn+ssh://svn.freebsd.org/base/head $ svn co svn+ssh://svn.freebsd.org/base/head
$ cd head/crypto/openssh $ cd head/crypto/openssh
@ -53,14 +53,16 @@
0B) Diff against the vendor branch: 0B) Diff against the vendor branch:
$ svn diff \^/vendor-crypto/openssh/dist . $ svn diff --no-diff-deleted --no-diff-added \
--ignore-properties \^/vendor-crypto/openssh/X.YpZ .
Files that have modifications relative to the vendor code, and Files that have modifications relative to the vendor code, and
only those files, must have the svn:keywords property set to only those files, must have the svn:keywords property set to
FreeBSD=%H and be listed in the 'keywords' file created by the FreeBSD=%H and be listed in the 'keywords' file created by the
pre-merge script. pre-merge script.
0C) Run the post-merge script: 0C) Run the post-merge script, which re-adds RCS tags to files that
need them:
$ sh freebsd-post-merge.sh $ sh freebsd-post-merge.sh
@ -68,7 +70,7 @@
$ sh freebsd-configure.sh $ sh freebsd-configure.sh
0E) Check config.h very carefully. 0E) Review changes to config.h very carefully.
0F) If source files have been added or removed, update the appropriate 0F) If source files have been added or removed, update the appropriate
makefiles to reflect changes in the vendor's Makefile.in. makefiles to reflect changes in the vendor's Makefile.in.
@ -92,8 +94,6 @@
An overview of FreeBSD changes to OpenSSH-portable An overview of FreeBSD changes to OpenSSH-portable
================================================== ==================================================
XXX This section is out of date
0) VersionAddendum 0) VersionAddendum
The SSH protocol allows for a human-readable version string of up The SSH protocol allows for a human-readable version string of up
@ -103,26 +103,28 @@ XXX This section is out of date
is vulnerable when an OpenSSH advisory goes out. Some people, is vulnerable when an OpenSSH advisory goes out. Some people,
however, dislike advertising their patch level in the protocol however, dislike advertising their patch level in the protocol
handshake, so we've added a VersionAddendum configuration variable handshake, so we've added a VersionAddendum configuration variable
to allow them to change or disable it. to allow them to change or disable it. Upstream added support for
VersionAddendum on the server side, but we also support it on the
client side.
1) Modified server-side defaults 1) Modified server-side defaults
We've modified some configuration defaults in sshd: We've modified some configuration defaults in sshd:
- PasswordAuthentication defaults to "no". - UsePAM defaults to "yes".
- LoginGraceTime defaults to 120 seconds instead of 600.
- PermitRootLogin defaults to "no". - PermitRootLogin defaults to "no".
- X11Forwarding defaults to "yes".
- X11Forwarding defaults to "yes" (it's a threat to the client, - PasswordAuthentication defaults to "no".
not to the server.) - VersionAddendum defaults to "FreeBSD-YYYYMMDD".
- PrivilegeSeparation defaults to "sandbox".
2) Modified client-side defaults 2) Modified client-side defaults
We've modified some configuration defaults in ssh: We've modified some configuration defaults in ssh:
- CheckHostIP defaults to "no". - CheckHostIP defaults to "no".
- VerifyHostKeyDNS defaults to "yes" if built with LDNS.
- VersionAddendum defaults to "FreeBSD-YYYYMMDD".
3) Canonic host names 3) Canonic host names
@ -135,6 +137,34 @@ XXX This section is out of date
Our setusercontext(3) can set environment variables, which we must Our setusercontext(3) can set environment variables, which we must
take care to transfer to the child's environment. take care to transfer to the child's environment.
5) TCP wrappers
Support for TCP wrappers was removed in upstream 6.7p1. We've
added it back by porting the 6.6p1 code forward.
6) DSA keys
DSA keys were disabled by default in upstream 6.9p1. We've added
them back.
7) Agent client reference counting
We've added code to ssh-agent.c to implement client reference
counting; the agent will automatically exit when the last client
disconnects.
8) Class-based login restrictions
We've added code to auth2.c to enforce the host.allow, host.deny,
times.allow and times.deny login class capabilities.
9) HPN
We no longer have the HPN patches (adaptive buffer size for
increased throughput on high-BxD links), but we recognize and
ignore HPN-related configuration options to avoid breaking existing
configurations.
This port was brought to you by (in no particular order) DARPA, NAI This port was brought to you by (in no particular order) DARPA, NAI