diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade index 4c669fd4adb1..54e1699e96c2 100644 --- a/crypto/openssh/FREEBSD-upgrade +++ b/crypto/openssh/FREEBSD-upgrade @@ -1,197 +1,192 @@ FreeBSD maintainer's guide to OpenSSH-portable ============================================== These instructions assume you have a clone of the FreeBSD git repo main branch in src/freebsd/main, and will store vendor trees under src/freebsd/vendor/. In addition, this assumes there is a "freebsd" origin pointing to git(repo).freebsd.org/src.git. 00) Make sure your mail spool has plenty of free space. It'll fill up pretty fast once you're done with this checklist. 01) Download the latest OpenSSH-portable tarball and signature from OpenBSD (https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/). 02) Verify the signature: $ gpg --verify openssh-X.YpZ.tar.gz.asc 03) Unpack the tarball in a suitable directory: $ tar xf openssh-X.YpZ.tar.gz 04) Copy to a vendor branch: $ cd src/freebsd/main $ git worktree add ../vendor/openssh freebsd/vendor/openssh $ cd ../vendor/openssh $ rsync --archive --delete --exclude=.git /path/to/openssh-X.YpZ/ ./ 05) Take care of added / deleted files: $ git add -A 06) Commit: $ git commit -m "Vendor import of OpenSSH X.YpZ" 07) Tag: $ git tag -a -m "Tag OpenSSH X.YpZ" vendor/openssh/X.YpZ At this point the vendor branch can be pushed to the FreeBSD repo via: $ git push freebsd vendor/openssh $ git push freebsd vendor/openssh/X.YpZ Note the second "git push" command is used to push the tag, which is not pushed by default. It is also possible to push the branch and tag together, but use --dry-run first to ensure that no undesired tags will be pushed: $ git push --dry-run --follow-tags freebsd vendor/openssh $ git push --follow-tags freebsd vendor/openssh The update and tag could instead be pushed later, along with the merge to main, but pushing now allows others to collaborate. 08) Check out head and run the pre-merge script, which strips our RCS tags from files that have them: $ cd src/freebsd/main/crypto/openssh $ sh freebsd-pre-merge.sh 09) Merge from the vendor branch: $ git subtree merge -P crypto/openssh vendor/openssh A number of files have been deleted from FreeBSD's copy of ssh, including rendered man pages (which have a .0 extension). When git prompts for these deleted files during the merge, choose 'd' (leaving them deleted). 0A) Resolve conflicts. Remember to bump the version addendum in version.h, and update the default value in ssh{,d}_config and ssh{,d}_config.5. 0B) Diff against the vendor branch: $ git diff --diff-filter=M vendor/openssh/X.YpZ HEAD:crypto/openssh Files that have modifications relative to the vendor code, and only those files, must have the svn:keywords property set to FreeBSD=%H and be listed in the 'keywords' file created by the pre-merge script. 0C) Run the post-merge script, which re-adds RCS tags to files that need them: $ sh freebsd-post-merge.sh These tags are not used with git, but we will leave them in place as long as svn-based FreeBSD 12.x is supported. 0D) Run the configure script: $ sh freebsd-configure.sh 0E) Review changes to config.h very carefully. Note that libwrap should not be defined in config.h; as of r311585 (233932cc2a60) it is conditional on MK_TCP_WRAPPERS. 0F) If source files have been added or removed, update the appropriate makefiles to reflect changes in the vendor's Makefile.in. 10) Update ssh_namespace.h: $ sh freebsd-namespace.sh 11) Build and install world, reboot, test. Pay particular attention to pam_ssh(8), which gropes inside libssh and will break if something significant changes or if ssh_namespace.h is out of whack. -12) Update nanobsd's copies of the ssh config files: - - tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config - tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config - -13) Check for references to obsolete configuration options +12) Check for references to obsolete configuration options (e.g., ChallengeResponseAuthentication in sshd_config) which may exist in release/ scripts. -14) Commit, and hunker down for the inevitable storm of complaints. +13) Commit, and hunker down for the inevitable storm of complaints. An overview of FreeBSD changes to OpenSSH-portable ================================================== 1) Modified server-side defaults We've modified some configuration defaults in sshd: - UsePAM defaults to "yes". - PermitRootLogin defaults to "no". - X11Forwarding defaults to "yes". - PasswordAuthentication defaults to "no". - VersionAddendum defaults to "FreeBSD-YYYYMMDD". - PrivilegeSeparation defaults to "sandbox". - UseDNS defaults to "yes". 2) Modified client-side defaults We've modified some configuration defaults in ssh: - CheckHostIP defaults to "no". - VerifyHostKeyDNS defaults to "yes" if built with LDNS. - VersionAddendum defaults to "FreeBSD-YYYYMMDD". 3) Canonic host names We've added code to ssh.c to canonicize the target host name after reading options but before trying to connect. This eliminates the usual problem with duplicate known_hosts entries. 4) setusercontext() environment Our setusercontext(3) can set environment variables, which we must take care to transfer to the child's environment. 5) TCP wrappers Support for TCP wrappers was removed in upstream 6.7p1. We've added it back by porting the 6.6p1 code forward. TCP wrappers support in sshd will be disabled in HEAD and will be removed from FreeBSD in the future. 6) Agent client reference counting We've added code to ssh-agent.c to implement client reference counting; the agent will automatically exit when the last client disconnects. 7) Class-based login restrictions (27ceebbc2402) We've added code to auth.c to enforce the host.allow, host.deny, times.allow and times.deny login class capabilities, based on an upstream submission from https://github.com/openssh/openssh-portable/pull/262. 8) Retired patches We no longer have HPN patches (adaptive buffer size for increased throughput on high-BxD links) or client-side VersionAddendum, but we recognize and ignore the configuration options to avoid breaking existing configurations. This port was brought to you by (in no particular order) DARPA, NAI Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co., Suzanne Vega, and a Sanford's #69 Deluxe Marker. -- des@FreeBSD.org diff --git a/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config b/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config deleted file mode 100644 index 306e8f950efd..000000000000 --- a/tools/tools/nanobsd/rescue/Files/etc/ssh/ssh_config +++ /dev/null @@ -1,47 +0,0 @@ -# $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $ - -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - -# Host * -# ForwardAgent no -# ForwardX11 no -# PasswordAuthentication yes -# HostbasedAuthentication no -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# BatchMode no -# CheckHostIP no -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# IdentityFile ~/.ssh/id_ecdsa -# IdentityFile ~/.ssh/id_ed25519 -# Port 22 -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com -# EscapeChar ~ -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no -# ProxyCommand ssh -q -W %h:%p gateway.example.com -# RekeyLimit 1G 1h -# UserKnownHostsFile ~/.ssh/known_hosts.d/%k -# VerifyHostKeyDNS yes diff --git a/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config b/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config deleted file mode 100644 index 623495cd89fe..000000000000 --- a/tools/tools/nanobsd/rescue/Files/etc/ssh/sshd_config +++ /dev/null @@ -1,121 +0,0 @@ -# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -# Note that some of FreeBSD's defaults differ from OpenBSD's, and -# FreeBSD has a few additional options. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# Change to yes to enable built-in password authentication. -# Note that passwords may also be accepted via KbdInteractiveAuthentication. -#PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to no to disable PAM authentication -#KbdInteractiveAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'no' to disable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the KbdInteractiveAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin prohibit-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and KbdInteractiveAuthentication to 'no'. -#UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding yes -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#UseBlacklist no -#VersionAddendum FreeBSD-20220415 - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server