X.509 support in ssh (revisited)

Brian Hatch secureshell at ifokr.org
Thu Jan 24 16:18:11 EST 2002



> Lets not even talk about the problem of people being afraid to
> kill the very same service they're reconfiguring a system through, and thus
> end up leaving the old daemon residing in memory indefinitely.

Every time I upgrade sshd I test the new version out simply
by running one on a separate port until I verify it works.
You can run it in debug mode, even with a new version of
the config file if it'll differ from the existing one:

	/path/to/new/sshd -p 222 [-d] [-f new_config_file]

So a few 'ssh hostname -p 222' tests from various machines
should let you know if it works.  When it does, kill off the
sshd process with PPID 1 and start your new sshd daemon in
it's place.  No reason to leave the old version running for
ages.

> Plus there's
> other reasons for upgrade breakage that I don't even know.

None if you test things before installing.

> Clients have trouble figuring out local port forward syntax;

What does that have to do with upgrades?

> servers are
> confounded by upgrading without at the very least wiping out their old keys.

I've never had that problem, not even once.  I've used the same keys
through upgrades from OpenSSH 1.2.3 and on.

> It's just the way it is, and why nobody's surprised when keys change.

If I see my keys change then sshmitm is to blame.

> I'm not complaining about this just to complain -- I'm going to eventually
> do something about this.  I'm thinking about embedding the configure options
> in the sshd itself and using the process table to discover which sshd to
> clone(probably allowing --with-upgrade=/usr/sbin as an override).

Why not save a copy of the ./configure options you used when you
compiled?

Incidentally, here's how I do an ssh compile (for a fictitious
Linux machine, in this case, root vs non root user issues
glossed over for conciseness)

	$ cd openssh-X.Y.Z
	$ mkdir /opt/pkgs/openssh-X.Y.Z
	$ script /opt/pkgs/openssh-X.Y.Z/COMPILE.TXT
	$ ./configure --prefix=/opt/pkgs/openssh-X.Y.Z \
		--with-tcp-wrappers  --with-pam \
		--with-md5-passwords \
		....
	$ make; make install
	$ exit

Viola.  New sshd doesn't overwite the old one, and you have
a copy of the configure options automatically saved in
/opt/pkgs/.../COMPILE.TXT which you can look at next time
if needed.

So, what other arguments do you have that there's a problem with
OpenSSH and not your administrative process?




--
Brian Hatch                  "Look, somebody's got to have
   Systems and                some damn perspective around
   Security Engineer          here.  Boom, sooner or later.
http://www.ifokr.org/bri/     *BOOM*!"

Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020123/f31e3e5b/attachment.bin 


More information about the openssh-unix-dev mailing list