summaryrefslogtreecommitdiffstats
path: root/crypto/openssh/FREEBSD-upgrade
blob: 4b31eb3532d6aeb1a35e7b432c3c958e875f4a63 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
	    FreeBSD maintainer's guide to OpenSSH-portable
	    ==============================================

00) Make sure your mail spool has plenty of free space.  It'll fill up
    pretty fast once you're done with this checklist.

01) Download the latest OpenSSH-portable tarball and signature from
    OpenBSD (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/).

02) Verify the signature:

    $ gpg --verify openssh-X.YpZ.tar.gz.asc

03) Unpack the tarball in a suitable directory:

    $ tar xf openssh-X.YpZ.tar.gz

04) Copy to the vendor directory:

    $ svn co svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist
    $ rsync --archive --delete openssh-X.YpZ/ dist/

05) Take care of added / deleted files:

    $ svn rm $(svn stat dist | awk '$1 == "!" { print $2 }')
    $ svn add --no-auto-props $(svn stat dist | awk '$1 == "?" { print $2 }')

06) Commit:

    $ svn commit -m "Vendor import of OpenSSH X.YpZ." dist

07) Tag:

    $ svn copy -m "Tag OpenSSH X.YpZ." \
	svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/dist \
	svn+ssh://svn.freebsd.org/base/vendor-crypto/openssh/X.YpZ

08) Check out head and run the pre-merge script, which strips our RCS
    tags from files that have them:

    $ svn co svn+ssh://svn.freebsd.org/base/head
    $ cd head/crypto/openssh
    $ sh freebsd-pre-merge.sh

09) Merge from the vendor branch:

    $ svn merge -cNNNNNN \^/vendor-crypto/openssh/dist .

0A) Resolve conflicts.  Remember to bump the version addendum in
    version.h, and update the default value in ssh{,d}_config and
    ssh{,d}_config.5.

0B) Diff against the vendor branch:

    $ svn diff --no-diff-deleted --no-diff-added \
	--ignore-properties \^/vendor-crypto/openssh/X.YpZ .

    Files that have modifications relative to the vendor code, and
    only those files, must have the svn:keywords property set to
    FreeBSD=%H and be listed in the 'keywords' file created by the
    pre-merge script.

0C) Run the post-merge script, which re-adds RCS tags to files that
    need them:

    $ sh freebsd-post-merge.sh

0D) Run the configure script:

    $ sh freebsd-configure.sh

0E) Review changes to config.h very carefully.

0F) If source files have been added or removed, update the appropriate
    makefiles to reflect changes in the vendor's Makefile.in.

10) Build libssh:

    $ cd ../../secure/lib/libssh && make obj && make depend && make

11) Follow the instructions in ssh_namespace.h to get a list of new
    symbols, and them to ssh_namespace.h.  Keep it sorted!

12) Build and install world, reboot, test.  Pay particular attention
    to pam_ssh(8), which gropes inside libssh and will break if
    something significant changes or if ssh_namespace.h is out of
    whack.

13) Commit, and hunker down for the inevitable storm of complaints.



	  An overview of FreeBSD changes to OpenSSH-portable
	  ==================================================

0) VersionAddendum

   The SSH protocol allows for a human-readable version string of up
   to 40 characters to be appended to the protocol version string.
   FreeBSD takes advantage of this to include a date indicating the
   "patch level", so people can easily determine whether their system
   is vulnerable when an OpenSSH advisory goes out.  Some people,
   however, dislike advertising their patch level in the protocol
   handshake, so we've added a VersionAddendum configuration variable
   to allow them to change or disable it.  Upstream added support for
   VersionAddendum on the server side, but we also support it on the
   client side.

1) Modified server-side defaults

   We've modified some configuration defaults in sshd:

      - UsePAM defaults to "yes".
      - PermitRootLogin defaults to "no".
      - X11Forwarding defaults to "yes".
      - PasswordAuthentication defaults to "no".
      - VersionAddendum defaults to "FreeBSD-YYYYMMDD".
      - PrivilegeSeparation defaults to "sandbox".
      - UseDNS defaults to "yes".

2) Modified client-side defaults

   We've modified some configuration defaults in ssh:

      - CheckHostIP defaults to "no".
      - VerifyHostKeyDNS defaults to "yes" if built with LDNS.
      - VersionAddendum defaults to "FreeBSD-YYYYMMDD".

3) Canonic host names

   We've added code to ssh.c to canonicize the target host name after
   reading options but before trying to connect.  This eliminates the
   usual problem with duplicate known_hosts entries.

4) setusercontext() environment

   Our setusercontext(3) can set environment variables, which we must
   take care to transfer to the child's environment.

5) TCP wrappers

   Support for TCP wrappers was removed in upstream 6.7p1.  We've
   added it back by porting the 6.6p1 code forward.

6) Agent client reference counting

   We've added code to ssh-agent.c to implement client reference
   counting; the agent will automatically exit when the last client
   disconnects.

7) Class-based login restrictions

   We've added code to auth2.c to enforce the host.allow, host.deny,
   times.allow and times.deny login class capabilities.

8) HPN

   We no longer have the HPN patches (adaptive buffer size for
   increased throughput on high-BxD links), but we recognize and
   ignore HPN-related configuration options to avoid breaking existing
   configurations.

9) AES-CBC

   The AES-CBC ciphers were removed from the server-side proposal list
   in 6.7p1 due to theoretical weaknesses and the availability of
   superior ciphers (including AES-CTR and AES-GCM).  We have re-added
   them for compatibility with third-party clients.



This port was brought to you by (in no particular order) DARPA, NAI
Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
Suzanne Vega, and a Sanford's #69 Deluxe Marker.

					-- des@FreeBSD.org

$FreeBSD$
OpenPOWER on IntegriCloud