Document the upgrade process.

1 files changed, 130 insertions, 0 deletions

diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade
new file mode 100644
index 0000000..e2095e2
--- /dev/null
+++ b/crypto/openssh/FREEBSD-upgrade
@@ -0,0 +1,130 @@
+
+
+	    FreeBSD maintainer's guide to OpenSSH-portable
+	    ==============================================
+
+
+0) Make sure your mail spool has plenty of free space.  It'll fill up
+   pretty fast once you're done with this checklist.
+
+1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
+   site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
+
+2) Unpack the tarball in a suitable directory.
+
+3) Remove trash:
+
+	$ rm -rf $(cat FREEBSD-Xlist)
+
+   Make sure that took care of everything, and if it didn't, make sure
+   to update FREEBSD-Xlist so you won't miss it the next time.
+
+4) Import the sources:
+
+	$ cvs import src/crypto/openssh-portable OPENSSH OpenSSH_X_YpZ
+
+5) Resolve conflicts.  Remember to bump the version number and
+   addendum in version.h.
+
+6) Generate configure and config.h.in:
+
+	$ autoconf
+	$ autoheader
+
+   Note: this requires a recent version of autoconf, not autoconf213.
+
+7) Run configure with the appropriate arguments:
+
+	$ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
+		--with-pam --with-opie --with-tcp-wrappers
+
+   Note that we don't want to configure OpenSSH for Kerberos using
+   configure since we have to be able to turn it on or off depending
+   on the value of MAKE_KERBEROS[45].  Our Makefiles take care of
+   this.
+
+8) Commit the resulting config.h.  Make sure you don't accidentally
+   commit any other files created by autoconf, autoheader or
+   configure; they'll just clutter up the repo and cause trouble at
+   the next upgrade.
+
+9) Build and test.
+
+A) Re-commit everything on freefall (you *did* use a test repo for
+   this, didn't you?)
+
+
+
+	  An overview of FreeBSD changes to OpenSSH-portable
+	  ==================================================
+
+0) VersionAddendum
+
+   The SSH protocol allows for a human-readable version string of up
+   to 40 characters to be appended to the protocol version string.
+   FreeBSD takes advantage of this to include a date indicating the
+   "patch level", so people can easily determine whether their system
+   is vulnerable when an OpenSSH advisory goes out.  Some people,
+   however, dislike advertising their patch level in the protocol
+   handshake, so we've added a VersionAddendum configuration variable
+   to allow them to change or disable it.
+
+1) Modified server-side defaults
+
+   We've modified some configuration defaults in sshd:
+
+      - For protocol version 2, we don't load RSA host keys by
+        default.  If both RSA and DSA keys are present, we prefer DSA
+        to RSA.
+
+      - LoginGraceTime defaults to 120 seconds instead of 600.
+
+      - PermitRootLogin defaults to "no".
+
+      - X11Forwarding defaults to "yes" (it's a threat to the client,
+        not to the server.)
+
+      - Unless the config file says otherwise, we automatically enable
+        Kerberos support if an appropriate keytab is present.
+
+      - PAMAuthenticationViaKbdInt defaults to "yes".
+
+2) Modified client-side defaults
+
+   We've modified some configuration defaults in ssh:
+
+      - For protocol version 2, if both RSA and DSA keys are present,
+        we prefer DSA to RSA.
+
+      - CheckHostIP defaults to "no".
+
+3) Canonic host names
+
+   We've added code to ssh.c to canonicize the target host name after
+   reading options but before trying to connect.  This eliminates the
+   usual problem with duplicate known_hosts entries.
+
+4) OPIE
+
+   We've added support for using OPIE as a drop-in replacement for
+   S/Key.
+
+5) PAM
+
+   We use our own PAM code, which wraps PAM in a KbdintDevice and
+   works with privsep, instead of OpenSSH's own PAM code.
+
+6) setusercontext() environment
+
+   Our setusercontext(3) can set environment variables, which we must
+   take care to transfer to the child's environment.
+
+
+
+This port was brought to you by (in no particular order) DARPA, NAI
+Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
+Suzanne Vega, and a Sanford's #69 Deluxe Marker.
+
+					-- des@FreeBSD.org
+
+$FreeBSD$