From 3aa72d2c55b928a8d2b106c4f67e6b2d4117a6bb Mon Sep 17 00:00:00 2001 From: des Date: Sat, 29 Jun 2002 10:39:14 +0000 Subject: Document the upgrade process. --- crypto/openssh/FREEBSD-upgrade | 130 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 crypto/openssh/FREEBSD-upgrade (limited to 'crypto') diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade new file mode 100644 index 0000000..e2095e2 --- /dev/null +++ b/crypto/openssh/FREEBSD-upgrade @@ -0,0 +1,130 @@ + + + FreeBSD maintainer's guide to OpenSSH-portable + ============================================== + + +0) Make sure your mail spool has plenty of free space. It'll fill up + pretty fast once you're done with this checklist. + +1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP + site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/) + +2) Unpack the tarball in a suitable directory. + +3) Remove trash: + + $ rm -rf $(cat FREEBSD-Xlist) + + Make sure that took care of everything, and if it didn't, make sure + to update FREEBSD-Xlist so you won't miss it the next time. + +4) Import the sources: + + $ cvs import src/crypto/openssh-portable OPENSSH OpenSSH_X_YpZ + +5) Resolve conflicts. Remember to bump the version number and + addendum in version.h. + +6) Generate configure and config.h.in: + + $ autoconf + $ autoheader + + Note: this requires a recent version of autoconf, not autoconf213. + +7) Run configure with the appropriate arguments: + + $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ + --with-pam --with-opie --with-tcp-wrappers + + Note that we don't want to configure OpenSSH for Kerberos using + configure since we have to be able to turn it on or off depending + on the value of MAKE_KERBEROS[45]. Our Makefiles take care of + this. + +8) Commit the resulting config.h. Make sure you don't accidentally + commit any other files created by autoconf, autoheader or + configure; they'll just clutter up the repo and cause trouble at + the next upgrade. + +9) Build and test. + +A) Re-commit everything on freefall (you *did* use a test repo for + this, didn't you?) + + + + An overview of FreeBSD changes to OpenSSH-portable + ================================================== + +0) VersionAddendum + + The SSH protocol allows for a human-readable version string of up + to 40 characters to be appended to the protocol version string. + FreeBSD takes advantage of this to include a date indicating the + "patch level", so people can easily determine whether their system + is vulnerable when an OpenSSH advisory goes out. Some people, + however, dislike advertising their patch level in the protocol + handshake, so we've added a VersionAddendum configuration variable + to allow them to change or disable it. + +1) Modified server-side defaults + + We've modified some configuration defaults in sshd: + + - For protocol version 2, we don't load RSA host keys by + default. If both RSA and DSA keys are present, we prefer DSA + to RSA. + + - LoginGraceTime defaults to 120 seconds instead of 600. + + - PermitRootLogin defaults to "no". + + - X11Forwarding defaults to "yes" (it's a threat to the client, + not to the server.) + + - Unless the config file says otherwise, we automatically enable + Kerberos support if an appropriate keytab is present. + + - PAMAuthenticationViaKbdInt defaults to "yes". + +2) Modified client-side defaults + + We've modified some configuration defaults in ssh: + + - For protocol version 2, if both RSA and DSA keys are present, + we prefer DSA to RSA. + + - CheckHostIP defaults to "no". + +3) Canonic host names + + We've added code to ssh.c to canonicize the target host name after + reading options but before trying to connect. This eliminates the + usual problem with duplicate known_hosts entries. + +4) OPIE + + We've added support for using OPIE as a drop-in replacement for + S/Key. + +5) PAM + + We use our own PAM code, which wraps PAM in a KbdintDevice and + works with privsep, instead of OpenSSH's own PAM code. + +6) setusercontext() environment + + Our setusercontext(3) can set environment variables, which we must + take care to transfer to the child's environment. + + + +This port was brought to you by (in no particular order) DARPA, NAI +Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co., +Suzanne Vega, and a Sanford's #69 Deluxe Marker. + + -- des@FreeBSD.org + +$FreeBSD$ -- cgit v1.1