3 FreeBSD maintainer's guide to OpenSSH-portable
4 ==============================================
7 0) Make sure your mail spool has plenty of free space. It'll fill up
8 pretty fast once you're done with this checklist.
10 1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
11 site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
13 2) Unpack the tarball in a suitable directory.
17 $ sh -c 'while read glob ; do rm -rvf $glob ; done' \
18 </usr/src/crypto/openssh/FREEBSD-Xlist
20 Make sure that took care of everything, and if it didn't, make sure
21 to update FREEBSD-Xlist so you won't miss it the next time. A good
22 way to do this is to run a test import and see if any new files
25 $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N
27 4) Import the sources:
29 $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ
31 5) Resolve conflicts. Remember to bump the version number and
32 addendum in version.h, and update the default value in
33 ssh{,d}_config and ssh{,d}_config.5.
35 6) Generate configure and config.h.in:
40 Note: this requires a recent version of autoconf, not autoconf213.
42 7) Run configure with the appropriate arguments:
44 $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
45 --with-pam --with-tcp-wrappers
47 Note that we don't want to configure OpenSSH for Kerberos using
48 configure since we have to be able to turn it on or off depending
49 on the value of NO_KERBEROS. Our Makefiles take care of this.
51 8) Commit the resulting config.h. Make sure you don't accidentally
52 commit any other files created by autoconf, autoheader or
53 configure; they'll just clutter up the repo and cause trouble at
58 A) Re-commit everything on freefall (you *did* use a test repo for
63 An overview of FreeBSD changes to OpenSSH-portable
64 ==================================================
68 The SSH protocol allows for a human-readable version string of up
69 to 40 characters to be appended to the protocol version string.
70 FreeBSD takes advantage of this to include a date indicating the
71 "patch level", so people can easily determine whether their system
72 is vulnerable when an OpenSSH advisory goes out. Some people,
73 however, dislike advertising their patch level in the protocol
74 handshake, so we've added a VersionAddendum configuration variable
75 to allow them to change or disable it.
77 1) Modified server-side defaults
79 We've modified some configuration defaults in sshd:
81 - Protocol defaults to "2".
83 - PasswordAuthentication defaults to "no" when PAM is enabled.
85 - For protocol version 2, we don't load RSA host keys by
86 default. If both RSA and DSA keys are present, we prefer DSA
89 - LoginGraceTime defaults to 120 seconds instead of 600.
91 - PermitRootLogin defaults to "no".
93 - X11Forwarding defaults to "yes" (it's a threat to the client,
96 2) Modified client-side defaults
98 We've modified some configuration defaults in ssh:
100 - For protocol version 2, if both RSA and DSA keys are present,
101 we prefer DSA to RSA.
103 - CheckHostIP defaults to "no".
105 3) Canonic host names
107 We've added code to ssh.c to canonicize the target host name after
108 reading options but before trying to connect. This eliminates the
109 usual problem with duplicate known_hosts entries.
113 We've added support for using OPIE as a drop-in replacement for
116 5) setusercontext() environment
118 Our setusercontext(3) can set environment variables, which we must
119 take care to transfer to the child's environment.
123 This port was brought to you by (in no particular order) DARPA, NAI
124 Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
125 Suzanne Vega, and a Sanford's #69 Deluxe Marker.