2002-06-29 10:39:14 +00:00
|
|
|
|
FreeBSD maintainer's guide to OpenSSH-portable
|
|
|
|
|
==============================================
|
|
|
|
|
|
2021-02-10 00:50:32 +00:00
|
|
|
|
These instructions assume you have a clone of the FreeBSD git repo
|
|
|
|
|
main branch in src/freebsd/main, and will store vendor trees under
|
|
|
|
|
src/freebsd/vendor/. In addition, this assumes there is a "freebsd"
|
|
|
|
|
origin pointing to git(repo).freebsd.org/src.git.
|
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
01) Make sure your mail spool has plenty of free space. It'll fill up
|
2014-03-24 19:15:13 +00:00
|
|
|
|
pretty fast once you're done with this checklist.
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
02) Download the latest OpenSSH-portable tarball and signature from
|
2020-02-14 19:33:50 +00:00
|
|
|
|
OpenBSD (https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/).
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
03) Verify the signature:
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2014-03-24 19:15:13 +00:00
|
|
|
|
$ gpg --verify openssh-X.YpZ.tar.gz.asc
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
04) Unpack the tarball in a suitable directory:
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2014-03-24 19:15:13 +00:00
|
|
|
|
$ tar xf openssh-X.YpZ.tar.gz
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
05) Copy to a vendor branch:
|
2004-01-07 11:51:18 +00:00
|
|
|
|
|
2021-02-10 00:50:32 +00:00
|
|
|
|
$ cd src/freebsd/main
|
|
|
|
|
$ git worktree add ../vendor/openssh freebsd/vendor/openssh
|
|
|
|
|
$ cd ../vendor/openssh
|
|
|
|
|
$ rsync --archive --delete --exclude=.git /path/to/openssh-X.YpZ/ ./
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
06) Take care of added / deleted files:
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2021-02-10 00:50:32 +00:00
|
|
|
|
$ git add -A
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
07) Commit:
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2021-02-10 00:50:32 +00:00
|
|
|
|
$ git commit -m "Vendor import of OpenSSH X.YpZ"
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
08) Tag:
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2021-02-10 00:50:32 +00:00
|
|
|
|
$ git tag -a -m "Tag OpenSSH X.YpZ" vendor/openssh/X.YpZ
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2021-04-23 19:35:40 +00:00
|
|
|
|
At this point the vendor branch can be pushed to the FreeBSD repo via:
|
|
|
|
|
|
|
|
|
|
$ git push freebsd vendor/openssh
|
2022-02-23 18:47:28 +00:00
|
|
|
|
$ git push freebsd vendor/openssh/X.YpZ
|
2021-04-23 19:35:40 +00:00
|
|
|
|
|
2022-02-23 18:47:28 +00:00
|
|
|
|
Note the second "git push" command is used to push the tag, which is
|
|
|
|
|
not pushed by default.
|
|
|
|
|
|
|
|
|
|
It is also possible to push the branch and tag together, but use
|
|
|
|
|
--dry-run first to ensure that no undesired tags will be pushed:
|
|
|
|
|
|
|
|
|
|
$ git push --dry-run --follow-tags freebsd vendor/openssh
|
|
|
|
|
$ git push --follow-tags freebsd vendor/openssh
|
|
|
|
|
|
|
|
|
|
The update and tag could instead be pushed later, along with the merge
|
|
|
|
|
to main, but pushing now allows others to collaborate.
|
2021-04-23 19:35:40 +00:00
|
|
|
|
|
2014-03-24 19:15:13 +00:00
|
|
|
|
09) Merge from the vendor branch:
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2021-02-10 00:50:32 +00:00
|
|
|
|
$ git subtree merge -P crypto/openssh vendor/openssh
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2020-02-25 22:15:25 +00:00
|
|
|
|
A number of files have been deleted from FreeBSD's copy of ssh,
|
|
|
|
|
including rendered man pages (which have a .0 extension). When
|
2021-02-10 00:50:32 +00:00
|
|
|
|
git prompts for these deleted files during the merge, choose 'd'
|
2020-02-25 22:15:25 +00:00
|
|
|
|
(leaving them deleted).
|
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
10) Resolve conflicts. Remember to bump the version addendum in
|
2023-02-05 18:15:29 +00:00
|
|
|
|
version.h, and update the default value in sshd_config and
|
|
|
|
|
sshd_config.5.
|
2006-10-02 12:39:28 +00:00
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
11) Diff against the vendor branch:
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2021-02-10 00:50:32 +00:00
|
|
|
|
$ git diff --diff-filter=M vendor/openssh/X.YpZ HEAD:crypto/openssh
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
2023-01-16 14:52:00 +00:00
|
|
|
|
Review the diff for any unexpected changes.
|
2014-03-24 19:15:13 +00:00
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
12) Run the configure script:
|
2014-03-24 19:15:13 +00:00
|
|
|
|
|
2022-02-23 18:33:24 +00:00
|
|
|
|
$ cd crypto/openssh
|
2014-03-24 19:15:13 +00:00
|
|
|
|
$ sh freebsd-configure.sh
|
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
13) Review changes to config.h very carefully.
|
2014-03-24 19:15:13 +00:00
|
|
|
|
|
2020-02-14 17:05:35 +00:00
|
|
|
|
Note that libwrap should not be defined in config.h; as of
|
2021-02-10 00:50:32 +00:00
|
|
|
|
r311585 (233932cc2a60) it is conditional on MK_TCP_WRAPPERS.
|
2020-02-14 17:05:35 +00:00
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
14) If source files have been added or removed, update the appropriate
|
2014-03-24 19:15:13 +00:00
|
|
|
|
makefiles to reflect changes in the vendor's Makefile.in.
|
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
15) Update ssh_namespace.h:
|
2014-03-24 19:15:13 +00:00
|
|
|
|
|
2022-02-23 18:33:24 +00:00
|
|
|
|
$ cd crypto/openssh
|
2018-05-08 23:13:11 +00:00
|
|
|
|
$ sh freebsd-namespace.sh
|
2014-03-24 19:15:13 +00:00
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
16) Build and install world, reboot, test. Pay particular attention
|
2014-03-24 19:15:13 +00:00
|
|
|
|
to pam_ssh(8), which gropes inside libssh and will break if
|
|
|
|
|
something significant changes or if ssh_namespace.h is out of
|
|
|
|
|
whack.
|
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
17) Check for references to obsolete configuration options
|
2022-03-01 14:36:23 +00:00
|
|
|
|
(e.g., ChallengeResponseAuthentication in sshd_config) which
|
|
|
|
|
may exist in release/ scripts.
|
|
|
|
|
|
2022-10-06 14:57:41 +00:00
|
|
|
|
18) Commit, and hunker down for the inevitable storm of complaints.
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
An overview of FreeBSD changes to OpenSSH-portable
|
|
|
|
|
==================================================
|
|
|
|
|
|
|
|
|
|
1) Modified server-side defaults
|
|
|
|
|
|
|
|
|
|
We've modified some configuration defaults in sshd:
|
|
|
|
|
|
2016-01-21 12:42:31 +00:00
|
|
|
|
- UsePAM defaults to "yes".
|
2002-06-29 10:39:14 +00:00
|
|
|
|
- PermitRootLogin defaults to "no".
|
2016-01-21 12:42:31 +00:00
|
|
|
|
- PasswordAuthentication defaults to "no".
|
|
|
|
|
- VersionAddendum defaults to "FreeBSD-YYYYMMDD".
|
2016-01-27 13:40:44 +00:00
|
|
|
|
- UseDNS defaults to "yes".
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
|
|
|
|
2) Modified client-side defaults
|
|
|
|
|
|
2023-03-29 22:27:21 +00:00
|
|
|
|
We defaulted CheckHostIP to "no" in 2000 (a95c1225217b). Upstream has
|
|
|
|
|
now made the same change, and we no longer have any modified client-side
|
|
|
|
|
defaults.
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
|
|
|
|
3) Canonic host names
|
|
|
|
|
|
|
|
|
|
We've added code to ssh.c to canonicize the target host name after
|
|
|
|
|
reading options but before trying to connect. This eliminates the
|
|
|
|
|
usual problem with duplicate known_hosts entries.
|
|
|
|
|
|
2023-02-07 20:09:30 +00:00
|
|
|
|
We added this support in 2002 (r99054 / bf2e2524a2ce). In 2014
|
|
|
|
|
upstream introduced CanonicalDomains and related options to serve a
|
|
|
|
|
similar purpose but they require environment-specific configuration.
|
|
|
|
|
|
2008-08-01 00:28:50 +00:00
|
|
|
|
4) setusercontext() environment
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
|
|
|
|
Our setusercontext(3) can set environment variables, which we must
|
|
|
|
|
take care to transfer to the child's environment.
|
|
|
|
|
|
2016-01-21 12:42:31 +00:00
|
|
|
|
5) TCP wrappers
|
|
|
|
|
|
|
|
|
|
Support for TCP wrappers was removed in upstream 6.7p1. We've
|
|
|
|
|
added it back by porting the 6.6p1 code forward.
|
|
|
|
|
|
2020-02-14 18:59:50 +00:00
|
|
|
|
TCP wrappers support in sshd will be disabled in HEAD and will
|
|
|
|
|
be removed from FreeBSD in the future.
|
|
|
|
|
|
2016-08-03 16:08:21 +00:00
|
|
|
|
6) Agent client reference counting
|
2016-01-21 12:42:31 +00:00
|
|
|
|
|
|
|
|
|
We've added code to ssh-agent.c to implement client reference
|
|
|
|
|
counting; the agent will automatically exit when the last client
|
|
|
|
|
disconnects.
|
|
|
|
|
|
2021-09-01 20:09:56 +00:00
|
|
|
|
7) Class-based login restrictions (27ceebbc2402)
|
2016-01-21 12:42:31 +00:00
|
|
|
|
|
2021-09-01 20:09:56 +00:00
|
|
|
|
We've added code to auth.c to enforce the host.allow, host.deny,
|
|
|
|
|
times.allow and times.deny login class capabilities, based on an
|
|
|
|
|
upstream submission from
|
|
|
|
|
https://github.com/openssh/openssh-portable/pull/262.
|
2021-08-30 19:28:38 +00:00
|
|
|
|
|
2022-12-13 14:43:04 +00:00
|
|
|
|
8) Blocklist integration
|
|
|
|
|
|
|
|
|
|
We include blocklist (https://github.com/zoulasc/blocklist) in FreeBSD,
|
|
|
|
|
and ssh is patched to report login failures to it.
|
|
|
|
|
|
|
|
|
|
9) Paths
|
|
|
|
|
|
|
|
|
|
A number of paths are changed to match FreeBSD's configuration (e.g.,
|
|
|
|
|
using /usr/local/ instead of /uxr/X11R6/).
|
|
|
|
|
|
2023-08-15 15:54:09 +00:00
|
|
|
|
10) Retired patches
|
2016-01-21 12:42:31 +00:00
|
|
|
|
|
2023-08-02 14:37:12 +00:00
|
|
|
|
We no longer have client-side VersionAddendum, but we recognize and ignore
|
|
|
|
|
the configuration options to avoid breaking existing configurations.
|
2016-01-21 12:42:31 +00:00
|
|
|
|
|
2023-08-15 15:54:09 +00:00
|
|
|
|
11) PrintLastLog bugfix
|
2023-07-18 16:23:31 +00:00
|
|
|
|
|
|
|
|
|
Upstream's autoconf sets DISABLE_LASTLOG if the system does not have
|
|
|
|
|
lastlog.ll_line, but uses it to disable the PrintLastLog configuration
|
|
|
|
|
option altogether. There is a hacky SKIP_DISABLE_LASTLOG_DEFINE=yes to
|
|
|
|
|
skip setting DISABLE_LASTLOG which we've applied for FreeBSD, but the
|
|
|
|
|
autoconf machinery really ought to be reworked. Reported upstream at
|
|
|
|
|
https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html
|
2002-06-29 10:39:14 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This port was brought to you by (in no particular order) DARPA, NAI
|
2013-09-23 20:35:54 +00:00
|
|
|
|
Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
|
2002-06-29 10:39:14 +00:00
|
|
|
|
Suzanne Vega, and a Sanford's #69 Deluxe Marker.
|
|
|
|
|
|
|
|
|
|
-- des@FreeBSD.org
|