1 FreeBSD maintainer's guide to OpenSSH-portable
2 ==============================================
4 00) Make sure your mail spool has plenty of free space. It'll fill up
5 pretty fast once you're done with this checklist.
7 01) Download the latest OpenSSH-portable tarball and signature from
8 OpenBSD (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/).
10 02) Verify the signature:
12 $ gpg --verify openssh-X.YpZ.tar.gz.asc
14 03) Unpack the tarball in a suitable directory:
16 $ tar xf openssh-X.YpZ.tar.gz
18 04) Copy to the vendor directory:
20 $ svn co svn+ssh://repo.freebsd.org/base/vendor-crypto/openssh/dist
21 $ rsync --archive --delete openssh-X.YpZ/ dist/
23 05) Take care of added / deleted files:
25 $ svn rm $(svn stat dist | awk '$1 == "!" { print $2 }')
26 $ svn add --no-auto-props $(svn stat dist | awk '$1 == "?" { print $2 }')
30 $ svn commit -m "Vendor import of OpenSSH X.YpZ." dist
34 $ svn copy -m "Tag OpenSSH X.YpZ." \
35 svn+ssh://repo.freebsd.org/base/vendor-crypto/openssh/dist \
36 svn+ssh://repo.freebsd.org/base/vendor-crypto/openssh/X.YpZ
38 08) Check out head and run the pre-merge script, which strips our RCS
39 tags from files that have them:
41 $ svn co svn+ssh://repo.freebsd.org/base/head
42 $ cd head/crypto/openssh
43 $ sh freebsd-pre-merge.sh
45 09) Merge from the vendor branch:
47 $ svn merge -cNNNNNN \^/vendor-crypto/openssh/dist .
49 0A) Resolve conflicts. Remember to bump the version addendum in
50 version.h, and update the default value in ssh{,d}_config and
53 0B) Diff against the vendor branch:
55 $ svn diff --no-diff-deleted --no-diff-added \
56 --ignore-properties \^/vendor-crypto/openssh/X.YpZ .
58 Files that have modifications relative to the vendor code, and
59 only those files, must have the svn:keywords property set to
60 FreeBSD=%H and be listed in the 'keywords' file created by the
63 0C) Run the post-merge script, which re-adds RCS tags to files that
66 $ sh freebsd-post-merge.sh
68 0D) Run the configure script:
70 $ sh freebsd-configure.sh
72 0E) Review changes to config.h very carefully.
74 0F) If source files have been added or removed, update the appropriate
75 makefiles to reflect changes in the vendor's Makefile.in.
77 10) Update ssh_namespace.h:
79 $ sh freebsd-namespace.sh
81 11) Build and install world, reboot, test. Pay particular attention
82 to pam_ssh(8), which gropes inside libssh and will break if
83 something significant changes or if ssh_namespace.h is out of
86 12) Commit, and hunker down for the inevitable storm of complaints.
90 An overview of FreeBSD changes to OpenSSH-portable
91 ==================================================
95 The SSH protocol allows for a human-readable version string of up
96 to 40 characters to be appended to the protocol version string.
97 FreeBSD takes advantage of this to include a date indicating the
98 "patch level", so people can easily determine whether their system
99 is vulnerable when an OpenSSH advisory goes out. Some people,
100 however, dislike advertising their patch level in the protocol
101 handshake, so we've added a VersionAddendum configuration variable
102 to allow them to change or disable it. Upstream added support for
103 VersionAddendum on the server side, but we also support it on the
106 1) Modified server-side defaults
108 We've modified some configuration defaults in sshd:
110 - UsePAM defaults to "yes".
111 - PermitRootLogin defaults to "no".
112 - X11Forwarding defaults to "yes".
113 - PasswordAuthentication defaults to "no".
114 - VersionAddendum defaults to "FreeBSD-YYYYMMDD".
115 - PrivilegeSeparation defaults to "sandbox".
116 - UseDNS defaults to "yes".
118 2) Modified client-side defaults
120 We've modified some configuration defaults in ssh:
122 - CheckHostIP defaults to "no".
123 - VerifyHostKeyDNS defaults to "yes" if built with LDNS.
124 - VersionAddendum defaults to "FreeBSD-YYYYMMDD".
126 3) Canonic host names
128 We've added code to ssh.c to canonicize the target host name after
129 reading options but before trying to connect. This eliminates the
130 usual problem with duplicate known_hosts entries.
132 4) setusercontext() environment
134 Our setusercontext(3) can set environment variables, which we must
135 take care to transfer to the child's environment.
139 Support for TCP wrappers was removed in upstream 6.7p1. We've
140 added it back by porting the 6.6p1 code forward.
142 6) Agent client reference counting
144 We've added code to ssh-agent.c to implement client reference
145 counting; the agent will automatically exit when the last client
148 7) Class-based login restrictions
150 We've added code to auth2.c to enforce the host.allow, host.deny,
151 times.allow and times.deny login class capabilities.
155 We no longer have the HPN patches (adaptive buffer size for
156 increased throughput on high-BxD links), but we recognize and
157 ignore HPN-related configuration options to avoid breaking existing
162 The AES-CBC ciphers were removed from the server-side proposal list
163 in 6.7p1 due to theoretical weaknesses and the availability of
164 superior ciphers (including AES-CTR and AES-GCM). We have re-added
165 them for compatibility with third-party clients.
169 This port was brought to you by (in no particular order) DARPA, NAI
170 Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
171 Suzanne Vega, and a Sanford's #69 Deluxe Marker.