mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-17 03:25:46 +00:00
Code Issues Releases Activity
69793a9b74
freebsd-ports/security/ssh2/files/patch-HOWTO.anonymous.sftp
Alexander Leidinger 610d298652 HEADS-UP: Traditionally this port automatically installs a start-up script for 
sshd2 unless it detects an entry for ssh in /etc/inetd.conf. As there
	  are three ways to automatically start sshd2 and /etc/rc.conf is the
	  simplest one (at least on FreeBSD 4, with rcNG once /etc/rc.d/sshd is
	  fixed to not be tailored to the base sshd) this version of the port
	  is the last one to do so. Beginning with next version it will only
	  install a sample start-up script. To prevent foot shooting when
	  updating to the next version this port won't remove an existing
	  start-up scripting on deinstall. Please see also the pkg-message that
	  gets displayed on installation.

- Update to 3.2.9.1. This is _not_ a security update. For the non-commercial
  version the only change worth mentioning since 3.2.5 is the addition of the
  config option "DisableVersionFallback", see sshd2_config(5) for further
  details.
- Use sites from the official list of mirrors for MASTER_SITES.
- Adjust COMMENT to justify why this port is security/ssh2, not security/ssh3.
- Revise list of installed documentation. No longer install MANIFEST (list of
  source files) and INSTALL, install RFCs referenced in sshd2_config(5) and
  HOWTO.anonymous.sftp (patched to better fit FreeBSD).
- Remove WITH_STATIC_SFTP knob. Using the internal sftp-server instead of the
  external (static) one is much simpler to set up and maintain (using the
  external one requires to install a copy of it in the home directory of the
  anonymous sftp user which has to be manually updated when installing a newer
  version of the port).
- Remove WITHOUT_TCPWRAP knob, libwarp is part of FreeBSD since 3.2.
- Install examples scripts for the ExternalAuthorizationProgram and
  AuthKbdInt.Plugin config options in EXAMPLESDIR. See sshd2_config(5) for
  further information.
- Replace references to /etc/ssh2/* in config files with PREFIX/etc/ssh2/*.
- Add a pkg-message displaying the different methods to automatically start
  sshd2.
- Switch to the start-up script for Solaris which is part of the tarball, it
  handles the name of the pidfile better.
- Fix detection of X11 headers, this enables compilation with support for X11
  SECURITY extension. See TrustX11Applications in ssh2_config(5) for further
  information.
- Add a test target to the Makefile of the port, the tests seem a bit outdated
  and buggy but it's enough to e.g. do a bit of speed comparison when building
  with different compilers.
- Minor changes and clean-up (sort pkg-plist, don't add /usr/local/lib to
  the library search path when compiling, etc.).

Revive some local modifications lost with the update to 3.1.0:
- Use login_cap(3)/login_class(3) facilities to set environment variables,
  prority and shell, get motd, copyright, hushlogin and nologin, respect
  ignorenologin and requirehome. This changes are roughly based on former
  patch-ah and patch-ai and patches of security/openssh.
- Don't print "No mail.", it's not FreeBSD login style.

Submitted by:	maintainer
2004-01-04 14:03:52 +00:00

118 lines
4.7 KiB
Plaintext
Raw Blame History

--- HOWTO.anonymous.sftp.orig Wed Dec 3 14:17:17 2003
+++ HOWTO.anonymous.sftp Thu Jan 1 19:18:54 2004
@@ -3,57 +3,27 @@
Author: Sami Lehtinen <sjl@ssh.com>
Created: Thu Oct 18 18:21:56 2001
-1. Follow the standard build process otherwise, except for the following
+1. Create a dedicated user account for the guest user (e.g. "ssh-guest").
- % ./configure --enable-static <your-flags-here>
-
- If your system doesn't support fully static binaries (atleast newer
- Solarises), you have to copy extra files after step 5, so that the
- necessary shared libraries and system configuration files can be
- found by ssh-dummy-shell and sftp-server in the chrooted
- environment.
-
- With internal sftp-server:
- You may also use the internal sftp-server. It simplifies logging and
- chrooting considerably. You don't need to build the static binaries.
-
-2. Create a dedicated user account for the guest user (e.g. "ssh-guest").
-
- In RH Linux:
-
- % useradd [-d home_dir] [-u uid] [-g group] [-s default-shell] ssh-guest
+ % pw useradd ssh-guest -m -s /nonexistent [-d homedir] [-u uid] [-g group]
Remember that the home directory will be the root ("/") of the
chrooted environment, so choose wisely (you can change it later, of
course).
-3. Set some known password (e.g. "guest") for the account with "passwd".
+2. Set some known password (e.g. "guest") for the account with "passwd".
-4. Change the user's shell to "ssh-dummy-shell" with "vipw".
+ % passwd ssh-guest
- With internal sftp-server:
- If you're using the internal sftp-server, you can use /bin/false or
- whatever as the user's shell. The sftp service isn't executed with
- the shell in this case. The user's shell doesn't even need to exist.
-
-5. Run
-
- % ssh-chrootmgr -v ssh-guest # (or the account you created)
-
- This will copy necessary static binaries to the user's home directory.
-
- With internal sftp-server:
- You don't need this step if you don't need the static
- ssh-dummy-shell.
-
-6. Modify /etc/ssh2/sshd2_config. Add the following line:
+3. Modify /etc/ssh2/sshd2_config. Add the following line:
ChRootUsers ssh-guest
-7. If you wish, you may announce the existence of this account in your
- login banner message. The file /etc/ssh2/ssh_banner_message, if not
- empty, will be displayed to incoming users before they authenticate. Or
- you can change the default by modifying the sshd2_config:
+4. If you wish, you may announce the existence of this account in your
+ login banner message. The file /etc/ssh2/ssh_banner_message,
+ if not empty, will be displayed to incoming users before they
+ authenticate. Or you can change the default by modifying the
+ /etc/ssh2/sshd2_config:
BannerMessageFile /etc/ssh2/some_other_ssh_banner_message
@@ -74,7 +44,7 @@
Remember that you may use subconfiguration files to change a banner
message based on e.g. user name (xxx example file).
-8. You most probably want to restrict access to read-only. For this,
+5. You most probably want to restrict access to read-only. For this,
change the accounts owner to something else (e.g. root):
% chown -R root:root ~ssh-guest
@@ -82,7 +52,7 @@
If you want to give some directories write access, change ownership of
those to "ssh-guest".
-9. To enable logging, you have to add the following line to sshd2_config
+6. To enable logging, you have to add the following line to sshd2_config
(or possibly to a subconfig file (see sshd2_subconfig(5))):
SftpSysLogFacility <facility>
@@ -90,26 +60,11 @@
<facility> could be LOCAL7, or whatever you wish. See sshd2_config(5)
for additional documentation.
- Note, that logging in the chrooted environment with a separate
- binary for sftp-server is tricky. Most likely you have to create a
- /dev/log device under the chrooted jail, and add that to the listened
- devices (with the full path) of your syslogd. See the documentation of
- syslog daemon for this. However, see below.
-
- With internal sftp-server:
- Logging in the chrooted jail is much simpler with the internal
- sftp-server. Just specify the correct SftpSysLogFacility, and you are
- set.
-
-10. Add your sftp-server to sshd2_config (if not already there):
-
- subsystem-sftp sftp-server
-
- With internal sftp-server:
+7. Add your sftp-server to sshd2_config (if not already there):
subsystem-sftp internal://sftp-server
-11. Remember to restart the sshd2 daemon after you modify the configuration
+8. Remember to restart the sshd2 daemon after you modify the configuration
file for the changes to take effect!
Have fun.
Reference in New Issue View Git Blame Copy Permalink