mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-11-26 07:55:01 +00:00
Code Issues Releases Activity
3041e6950d
freebsd/crypto/openssh/FREEBSD-upgrade
Ed Maste 14e78a3656 ssh: Remove note about memory leak now resolved upstream 
OpenSSH 9.4p1 (updated in commit 535af610a4) includes the memory leak
fix that we originally applied in 69c72a57af ("sftp: avoid leaking
path arg in calls to make_absolute_pwd_glob.").

Sponsored by:	The FreeBSD Foundation
2023-08-15 11:56:08 -04:00

194 lines
6.3 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

FreeBSD maintainer's guide to OpenSSH-portable
==============================================
These instructions assume you have a clone of the FreeBSD git repo
main branch in src/freebsd/main, and will store vendor trees under
src/freebsd/vendor/. In addition, this assumes there is a "freebsd"
origin pointing to git(repo).freebsd.org/src.git.
01) Make sure your mail spool has plenty of free space. It'll fill up
pretty fast once you're done with this checklist.
02) Download the latest OpenSSH-portable tarball and signature from
OpenBSD (https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/).
03) Verify the signature:
$ gpg --verify openssh-X.YpZ.tar.gz.asc
04) Unpack the tarball in a suitable directory:
$ tar xf openssh-X.YpZ.tar.gz
05) Copy to a vendor branch:
$ cd src/freebsd/main
$ git worktree add ../vendor/openssh freebsd/vendor/openssh
$ cd ../vendor/openssh
$ rsync --archive --delete --exclude=.git /path/to/openssh-X.YpZ/ ./
06) Take care of added / deleted files:
$ git add -A
07) Commit:
$ git commit -m "Vendor import of OpenSSH X.YpZ"
08) Tag:
$ git tag -a -m "Tag OpenSSH X.YpZ" vendor/openssh/X.YpZ
At this point the vendor branch can be pushed to the FreeBSD repo via:
$ git push freebsd vendor/openssh
$ git push freebsd vendor/openssh/X.YpZ
Note the second "git push" command is used to push the tag, which is
not pushed by default.
It is also possible to push the branch and tag together, but use
--dry-run first to ensure that no undesired tags will be pushed:
$ git push --dry-run --follow-tags freebsd vendor/openssh
$ git push --follow-tags freebsd vendor/openssh
The update and tag could instead be pushed later, along with the merge
to main, but pushing now allows others to collaborate.
09) Merge from the vendor branch:
$ git subtree merge -P crypto/openssh vendor/openssh
A number of files have been deleted from FreeBSD's copy of ssh,
including rendered man pages (which have a .0 extension). When
git prompts for these deleted files during the merge, choose 'd'
(leaving them deleted).
10) Resolve conflicts. Remember to bump the version addendum in
version.h, and update the default value in sshd_config and
sshd_config.5.
11) Diff against the vendor branch:
$ git diff --diff-filter=M vendor/openssh/X.YpZ HEAD:crypto/openssh
Review the diff for any unexpected changes.
12) Run the configure script:
$ cd crypto/openssh
$ sh freebsd-configure.sh
13) Review changes to config.h very carefully.
Note that libwrap should not be defined in config.h; as of
r311585 (233932cc2a60) it is conditional on MK_TCP_WRAPPERS.
14) If source files have been added or removed, update the appropriate
makefiles to reflect changes in the vendor's Makefile.in.
15) Update ssh_namespace.h:
$ cd crypto/openssh
$ sh freebsd-namespace.sh
16) Build and install world, reboot, test. Pay particular attention
to pam_ssh(8), which gropes inside libssh and will break if
something significant changes or if ssh_namespace.h is out of
whack.
17) Check for references to obsolete configuration options
(e.g., ChallengeResponseAuthentication in sshd_config) which
may exist in release/ scripts.
18) Commit, and hunker down for the inevitable storm of complaints.
An overview of FreeBSD changes to OpenSSH-portable
==================================================
1) Modified server-side defaults
We've modified some configuration defaults in sshd:
- UsePAM defaults to "yes".
- PermitRootLogin defaults to "no".
- PasswordAuthentication defaults to "no".
- VersionAddendum defaults to "FreeBSD-YYYYMMDD".
- UseDNS defaults to "yes".
2) Modified client-side defaults
We defaulted CheckHostIP to "no" in 2000 (a95c1225217b). Upstream has
now made the same change, and we no longer have any modified client-side
defaults.
3) Canonic host names
We've added code to ssh.c to canonicize the target host name after
reading options but before trying to connect. This eliminates the
usual problem with duplicate known_hosts entries.
We added this support in 2002 (r99054 / bf2e2524a2ce). In 2014
upstream introduced CanonicalDomains and related options to serve a
similar purpose but they require environment-specific configuration.
4) setusercontext() environment
Our setusercontext(3) can set environment variables, which we must
take care to transfer to the child's environment.
5) TCP wrappers
Support for TCP wrappers was removed in upstream 6.7p1. We've
added it back by porting the 6.6p1 code forward.
TCP wrappers support in sshd will be disabled in HEAD and will
be removed from FreeBSD in the future.
6) Agent client reference counting
We've added code to ssh-agent.c to implement client reference
counting; the agent will automatically exit when the last client
disconnects.
7) Class-based login restrictions (27ceebbc2402)
We've added code to auth.c to enforce the host.allow, host.deny,
times.allow and times.deny login class capabilities, based on an
upstream submission from
https://github.com/openssh/openssh-portable/pull/262.
8) Blocklist integration
We include blocklist (https://github.com/zoulasc/blocklist) in FreeBSD,
and ssh is patched to report login failures to it.
9) Paths
A number of paths are changed to match FreeBSD's configuration (e.g.,
using /usr/local/ instead of /uxr/X11R6/).
10) Retired patches
We no longer have client-side VersionAddendum, but we recognize and ignore
the configuration options to avoid breaking existing configurations.
11) PrintLastLog bugfix
Upstream's autoconf sets DISABLE_LASTLOG if the system does not have
lastlog.ll_line, but uses it to disable the PrintLastLog configuration
option altogether. There is a hacky SKIP_DISABLE_LASTLOG_DEFINE=yes to
skip setting DISABLE_LASTLOG which we've applied for FreeBSD, but the
autoconf machinery really ought to be reworked. Reported upstream at
https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html
This port was brought to you by (in no particular order) DARPA, NAI
Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
Suzanne Vega, and a Sanford's #69 Deluxe Marker.
-- des@FreeBSD.org
Reference in New Issue View Git Blame Copy Permalink