diff options
Diffstat (limited to 'crypto/openssh/FREEBSD-upgrade')
-rw-r--r-- | crypto/openssh/FREEBSD-upgrade | 116 |
1 files changed, 49 insertions, 67 deletions
diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade index 52793e84c366..ef05c55a37e3 100644 --- a/crypto/openssh/FREEBSD-upgrade +++ b/crypto/openssh/FREEBSD-upgrade @@ -6,36 +6,36 @@ src/freebsd/vendor/. In addition, this assumes there is a "freebsd" origin pointing to git(repo).freebsd.org/src.git. -00) Make sure your mail spool has plenty of free space. It'll fill up +01) Make sure your mail spool has plenty of free space. It'll fill up pretty fast once you're done with this checklist. -01) Download the latest OpenSSH-portable tarball and signature from +02) Download the latest OpenSSH-portable tarball and signature from OpenBSD (https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/). -02) Verify the signature: +03) Verify the signature: $ gpg --verify openssh-X.YpZ.tar.gz.asc -03) Unpack the tarball in a suitable directory: +04) Unpack the tarball in a suitable directory: $ tar xf openssh-X.YpZ.tar.gz -04) Copy to a vendor branch: +05) Copy to a vendor branch: $ cd src/freebsd/main $ git worktree add ../vendor/openssh freebsd/vendor/openssh $ cd ../vendor/openssh $ rsync --archive --delete --exclude=.git /path/to/openssh-X.YpZ/ ./ -05) Take care of added / deleted files: +06) Take care of added / deleted files: $ git add -A -06) Commit: +07) Commit: $ git commit -m "Vendor import of OpenSSH X.YpZ" -07) Tag: +08) Tag: $ git tag -a -m "Tag OpenSSH X.YpZ" vendor/openssh/X.YpZ @@ -56,12 +56,6 @@ The update and tag could instead be pushed later, along with the merge to main, but pushing now allows others to collaborate. -08) Check out head and run the pre-merge script, which strips our RCS - tags from files that have them: - - $ cd src/freebsd/main/crypto/openssh - $ sh freebsd-pre-merge.sh - 09) Merge from the vendor branch: $ git subtree merge -P crypto/openssh vendor/openssh @@ -71,96 +65,65 @@ git prompts for these deleted files during the merge, choose 'd' (leaving them deleted). -0A) Resolve conflicts. Remember to bump the version addendum in - version.h, and update the default value in ssh{,d}_config and - ssh{,d}_config.5. +10) Resolve conflicts. Remember to bump the version addendum in + version.h, and update the default value in sshd_config and + sshd_config.5. -0B) Diff against the vendor branch: +11) Diff against the vendor branch: $ git diff --diff-filter=M vendor/openssh/X.YpZ HEAD:crypto/openssh - Files that have modifications relative to the vendor code, and - only those files, must have the svn:keywords property set to - FreeBSD=%H and be listed in the 'keywords' file created by the - pre-merge script. - -0C) Run the post-merge script, which re-adds RCS tags to files that - need them: - - $ sh freebsd-post-merge.sh - - These tags are not used with git, but we will leave them in place as - long as svn-based FreeBSD 12.x is supported. + Review the diff for any unexpected changes. -0D) Run the configure script: +12) Run the configure script: + $ cd crypto/openssh $ sh freebsd-configure.sh -0E) Review changes to config.h very carefully. +13) Review changes to config.h very carefully. Note that libwrap should not be defined in config.h; as of r311585 (233932cc2a60) it is conditional on MK_TCP_WRAPPERS. -0F) If source files have been added or removed, update the appropriate +14) If source files have been added or removed, update the appropriate makefiles to reflect changes in the vendor's Makefile.in. -10) Update ssh_namespace.h: +15) Update ssh_namespace.h: + $ cd crypto/openssh $ sh freebsd-namespace.sh -11) Build and install world, reboot, test. Pay particular attention +16) Build and install world, reboot, test. Pay particular attention to pam_ssh(8), which gropes inside libssh and will break if something significant changes or if ssh_namespace.h is out of whack. -12) Update nanobsd's copies of the ssh config files: - - tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config - tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config - -13) Check for references to obsolete configuration options +17) Check for references to obsolete configuration options (e.g., ChallengeResponseAuthentication in sshd_config) which may exist in release/ scripts. -14) Commit, and hunker down for the inevitable storm of complaints. +18) Commit, and hunker down for the inevitable storm of complaints. An overview of FreeBSD changes to OpenSSH-portable ================================================== -0) VersionAddendum - - The SSH protocol allows for a human-readable version string of up - to 40 characters to be appended to the protocol version string. - FreeBSD takes advantage of this to include a date indicating the - "patch level", so people can easily determine whether their system - is vulnerable when an OpenSSH advisory goes out. Some people, - however, dislike advertising their patch level in the protocol - handshake, so we've added a VersionAddendum configuration variable - to allow them to change or disable it. Upstream added support for - VersionAddendum on the server side, but we also support it on the - client side. - 1) Modified server-side defaults We've modified some configuration defaults in sshd: - UsePAM defaults to "yes". - PermitRootLogin defaults to "no". - - X11Forwarding defaults to "yes". - PasswordAuthentication defaults to "no". - VersionAddendum defaults to "FreeBSD-YYYYMMDD". - - PrivilegeSeparation defaults to "sandbox". - UseDNS defaults to "yes". 2) Modified client-side defaults - We've modified some configuration defaults in ssh: - - - CheckHostIP defaults to "no". - - VerifyHostKeyDNS defaults to "yes" if built with LDNS. - - VersionAddendum defaults to "FreeBSD-YYYYMMDD". + We defaulted CheckHostIP to "no" in 2000 (a95c1225217b). Upstream has + now made the same change, and we no longer have any modified client-side + defaults. 3) Canonic host names @@ -168,6 +131,10 @@ reading options but before trying to connect. This eliminates the usual problem with duplicate known_hosts entries. + We added this support in 2002 (r99054 / bf2e2524a2ce). In 2014 + upstream introduced CanonicalDomains and related options to serve a + similar purpose but they require environment-specific configuration. + 4) setusercontext() environment Our setusercontext(3) can set environment variables, which we must @@ -194,13 +161,28 @@ upstream submission from https://github.com/openssh/openssh-portable/pull/262. -8) HPN +8) Blocklist integration + + We include blocklist (https://github.com/zoulasc/blocklist) in FreeBSD, + and ssh is patched to report login failures to it. + +9) Paths + + A number of paths are changed to match FreeBSD's configuration (e.g., + using /usr/local/ instead of /uxr/X11R6/). + +10) Retired patches + + We no longer have client-side VersionAddendum. - We no longer have the HPN patches (adaptive buffer size for - increased throughput on high-BxD links), but we recognize and - ignore HPN-related configuration options to avoid breaking existing - configurations. +11) PrintLastLog bugfix + Upstream's autoconf sets DISABLE_LASTLOG if the system does not have + lastlog.ll_line, but uses it to disable the PrintLastLog configuration + option altogether. There is a hacky SKIP_DISABLE_LASTLOG_DEFINE=yes to + skip setting DISABLE_LASTLOG which we've applied for FreeBSD, but the + autoconf machinery really ought to be reworked. Reported upstream at + https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html This port was brought to you by (in no particular order) DARPA, NAI |