Binpatch: Errata up to 004 & OpenSSH 4.3

Gerardo Santana's Binpatch System is a fantastic way to keep your OpenBSD sytems up to date.

With Binpatch, you create a directory structure not unlike the OpenBSD ports tree. For each update, you create a section declaring the patch and a section to build the binpatch. Take the i386-only 004 Errata, for example. Append PATCH_I386= with "004_i386machdep" so the line looks like "PATCH_I386=003_i386pmap 004_i386machdep". Then, create a make directive for the patch using "004_i386machdep: _kernel" so binpatch will use its built-in kernel building routine. You can see my entire Makefile for the full effect. Now you're ready to get started building the binpatch for 004...


I like to build my binpatches one step at a time:

1. Modify Makefile (as above)


2. Run: sudo make PATCH=004 patch (make sure patch downloads and applies properly)


3. Run: sudo make PATCH=004 build (build the code with the patch)


4. Run: sudo make PATCH=004 plist (create the list of changed files)


5. Review the PLIST to make sure nothing extraneous is being installed


6. Run: sudo make PATCH=004 package (build the actual package)


7. On a machine needing the patch, I download the patch file and then...


8. Run: sudo tar -xvzpf binpatch-3.8-i386-004.tgz -C /

Note that the p in tar's switches is VERY important. It preserves the permissions (including SUID bit, if applicable). Also, the "-C /" extracts the patch into the root directory (/) no matter where you run tar from.

When OpenSSH was released, I tried to think of a way to leverage the Binpatch system to create an OpenSSH-4.3-for-3.8 binpatch.

I went into my source tree and renamed the ssh directory to ssh.old. Then I unpacked the OpenSSH-4.3 source code. I created a patch file using "diff -u -r usr.bin/ssh.old usr.bin/ssh". Then I put the patch file in my binpatch/patches/common directory and modified my Makefile to create a section for building the OpenSSH binpatch:
mwe2_ssh:
    cd ${WRKSRC}/usr.bin/ssh && \
    (${_obj}; ${_cleandir}; ${_depend}; ${_build}; \
        install -c -o root -g wheel -m 644 ssh_config \
            ${WRKINST}/etc/ssh/ssh_config.43; \
        install -c -o root -g wheel -m 644 sshd_config \
            ${WRKINST}/etc/ssh/sshd_config.43 \
    )

This binpatch installed the changed OpenSSH 4.3 files and copies the ssh_config & sshd_config files to /etc/ssh with ".43" on the end (soas not to overwrite your existing configuration files). So, apply the binpatch and modify your /etc/ssh/{ssh_config,sshd_config} files to include any new options from 4.3 (diff with sshd_config.43?). Then run: sudo kill -HUP `head -1 /var/run/sshd.pid`

Telnet to port 22 and see your success: SSH-2.0-OpenSSH_4.3

My available binpatches:

• binpatch-3.8-i386-001.tgz


• binpatch-3.8-i386-002.tgz


• binpatch-3.8-i386-003.tgz


• binpatch-3.8-i386-004.tgz


• binpatch-3.8-i386-openssh-4.3.tgz

Additionally, I created combo binpatches for all of the current Errata entries. I also created combo binpatches for the three non-GENERIC kernels I use:

• binpatch-3.8-i386-001-004.tgz


• binpatch-3.8-i386_mp-001-004.tgz


• binpatch-3.8-i386_raid-001-004.tgz


• binpatch-3.8-i386_raid_mp-001-004.tgz

The one's with i386_raid & i386_raid_mp are both the GENERIC & GENERIC.MP kernels with RAIDFrame enabled (and RAID_AUTOCONFIG).