mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-30 23:48:09 +01:00
d4af9e693f
I have worked hard to reduce diffs against the vendor branch. One notable change in that respect is that we no longer prefer DSA over RSA - the reasons for doing so went away years ago. This may cause some surprises, as ssh will warn about unknown host keys even for hosts whose keys haven't changed. MFC after: 6 weeks
125 lines
3.8 KiB
Plaintext
125 lines
3.8 KiB
Plaintext
|
||
|
||
FreeBSD maintainer's guide to OpenSSH-portable
|
||
==============================================
|
||
|
||
[needs rewriting for svn]
|
||
|
||
0) Make sure your mail spool has plenty of free space. It'll fill up
|
||
pretty fast once you're done with this checklist.
|
||
|
||
1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
|
||
site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
|
||
|
||
2) Unpack the tarball in a suitable directory.
|
||
|
||
$ tar xf openssh-X.YpZ.tar.gz \
|
||
-X /usr/src/crypto/openssh/FREEBSD-Xlist
|
||
|
||
3) Remove trash:
|
||
|
||
Make sure -X took care of everything, and if it didn't, make sure
|
||
to update FREEBSD-Xlist so you won't miss it the next time. A good
|
||
way to do this is to run a test import and see if any new files
|
||
show up:
|
||
|
||
$ cvs -n import src/crypto/openssh OPENSSH x | grep \^N
|
||
|
||
4) Import the sources:
|
||
|
||
$ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ
|
||
|
||
5) Resolve conflicts. Remember to bump the version number and
|
||
addendum in version.h, and update the default value in
|
||
ssh{,d}_config and ssh{,d}_config.5.
|
||
|
||
6) Generate configure and config.h.in:
|
||
|
||
$ autoconf
|
||
$ autoheader
|
||
|
||
Note: this requires a recent version of autoconf, not autoconf213.
|
||
|
||
7) Run configure with the appropriate arguments:
|
||
|
||
$ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
|
||
--with-pam --with-tcp-wrappers --with-libedit \
|
||
--with-ssl-engine
|
||
|
||
This will regenerate config.h, which must be committed along with
|
||
the rest.
|
||
|
||
Note that we don't want to configure OpenSSH for Kerberos using
|
||
configure since we have to be able to turn it on or off depending
|
||
on the value of MK_KERBEROS. Our Makefiles take care of this.
|
||
|
||
8) If source files have been added or removed, update the appropriate
|
||
makefiles to reflect changes in the vendor's Makefile.in.
|
||
|
||
9) Build libssh. Follow the instructions in ssh_namespace.h to get a
|
||
list of new symbols. Update ssh_namespace.h, build everything,
|
||
install and test.
|
||
|
||
A) Build and test the pam_ssh PAM module. It gropes around libssh's
|
||
internals and will break if something significant changes or if
|
||
ssh_namespace.h is out of whack.
|
||
|
||
B) Re-commit everything on repoman (you *did* use a test repo for
|
||
this, didn't you?)
|
||
|
||
|
||
|
||
An overview of FreeBSD changes to OpenSSH-portable
|
||
==================================================
|
||
|
||
0) VersionAddendum
|
||
|
||
The SSH protocol allows for a human-readable version string of up
|
||
to 40 characters to be appended to the protocol version string.
|
||
FreeBSD takes advantage of this to include a date indicating the
|
||
"patch level", so people can easily determine whether their system
|
||
is vulnerable when an OpenSSH advisory goes out. Some people,
|
||
however, dislike advertising their patch level in the protocol
|
||
handshake, so we've added a VersionAddendum configuration variable
|
||
to allow them to change or disable it.
|
||
|
||
1) Modified server-side defaults
|
||
|
||
We've modified some configuration defaults in sshd:
|
||
|
||
- PasswordAuthentication defaults to "no".
|
||
|
||
- LoginGraceTime defaults to 120 seconds instead of 600.
|
||
|
||
- PermitRootLogin defaults to "no".
|
||
|
||
- X11Forwarding defaults to "yes" (it's a threat to the client,
|
||
not to the server.)
|
||
|
||
2) Modified client-side defaults
|
||
|
||
We've modified some configuration defaults in ssh:
|
||
|
||
- CheckHostIP defaults to "no".
|
||
|
||
3) Canonic host names
|
||
|
||
We've added code to ssh.c to canonicize the target host name after
|
||
reading options but before trying to connect. This eliminates the
|
||
usual problem with duplicate known_hosts entries.
|
||
|
||
4) setusercontext() environment
|
||
|
||
Our setusercontext(3) can set environment variables, which we must
|
||
take care to transfer to the child's environment.
|
||
|
||
|
||
|
||
This port was brought to you by (in no particular order) DARPA, NAI
|
||
Labs, ThinkSec, Nescaf<61>, the Aberlour Glenlivet Distillery Co.,
|
||
Suzanne Vega, and a Sanford's #69 Deluxe Marker.
|
||
|
||
-- des@FreeBSD.org
|
||
|
||
$FreeBSD$
|