3 FreeBSD maintainer's guide to OpenSSH-portable
4 ==============================================
7 XXX this needs a complete rewrite
8 XXX svn merge from vendor branch, resolve conflicts manually
9 XXX (see FREEBSD-tricks for tips on how to reduce conflicts)
10 XXX run freebsd-configure.sh to generate config.h and krb5_config.h
11 XXX svn diff Makefile.in to see if the Makefiles need adjusting
14 0) Make sure your mail spool has plenty of free space. It'll fill up
15 pretty fast once you're done with this checklist.
17 1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
18 site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
20 2) Unpack the tarball in a suitable directory.
22 $ tar xf openssh-X.YpZ.tar.gz \
23 -X /usr/src/crypto/openssh/FREEBSD-Xlist
27 Make sure -X took care of everything, and if it didn't, make sure
28 to update FREEBSD-Xlist so you won't miss it the next time. A good
29 way to do this is to run a test import and see if any new files
32 $ cvs -n import src/crypto/openssh OPENSSH x | grep \^N
34 4) Import the sources:
36 $ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ
38 5) Resolve conflicts. Remember to bump the version number and
39 addendum in version.h, and update the default value in
40 ssh{,d}_config and ssh{,d}_config.5.
42 6) Generate configure and config.h.in:
47 Note: this requires a recent version of autoconf, not autoconf213.
49 7) Run configure with the appropriate arguments:
51 $ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
52 --with-pam --with-tcp-wrappers --with-libedit \
55 This will regenerate config.h, which must be committed along with
58 Note that we don't want to configure OpenSSH for Kerberos using
59 configure since we have to be able to turn it on or off depending
60 on the value of MK_KERBEROS. Our Makefiles take care of this.
62 8) If source files have been added or removed, update the appropriate
63 makefiles to reflect changes in the vendor's Makefile.in.
65 9) Build libssh. Follow the instructions in ssh_namespace.h to get a
66 list of new symbols. Update ssh_namespace.h, build everything,
69 A) Build and test the pam_ssh PAM module. It gropes around libssh's
70 internals and will break if something significant changes or if
71 ssh_namespace.h is out of whack.
73 B) Re-commit everything on repoman (you *did* use a test repo for
78 An overview of FreeBSD changes to OpenSSH-portable
79 ==================================================
83 The SSH protocol allows for a human-readable version string of up
84 to 40 characters to be appended to the protocol version string.
85 FreeBSD takes advantage of this to include a date indicating the
86 "patch level", so people can easily determine whether their system
87 is vulnerable when an OpenSSH advisory goes out. Some people,
88 however, dislike advertising their patch level in the protocol
89 handshake, so we've added a VersionAddendum configuration variable
90 to allow them to change or disable it.
92 1) Modified server-side defaults
94 We've modified some configuration defaults in sshd:
96 - PasswordAuthentication defaults to "no".
98 - LoginGraceTime defaults to 120 seconds instead of 600.
100 - PermitRootLogin defaults to "no".
102 - X11Forwarding defaults to "yes" (it's a threat to the client,
105 2) Modified client-side defaults
107 We've modified some configuration defaults in ssh:
109 - CheckHostIP defaults to "no".
111 3) Canonic host names
113 We've added code to ssh.c to canonicize the target host name after
114 reading options but before trying to connect. This eliminates the
115 usual problem with duplicate known_hosts entries.
117 4) setusercontext() environment
119 Our setusercontext(3) can set environment variables, which we must
120 take care to transfer to the child's environment.
124 This port was brought to you by (in no particular order) DARPA, NAI
125 Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
126 Suzanne Vega, and a Sanford's #69 Deluxe Marker.
projects / FreeBSD / releng / 10.0.git / blob