Simple steps Re: [ale] Another SSH Release?

John Mills johnmills at speakeasy.net
Wed Sep 17 10:53:21 EDT 2003


Jonathan, ALErs -

First, Thanks to Jonathan and other ALErs who are keeping us 'in synch' 
with this.

Second, for those wanting a fix faster than the distributors can package
it, installation from sources easy. I did this in RH-7.3:

1. download and unpack the full source tarball into /usr/src/ (where it 
ends up in /usr/src/openssh-3.7.1p1/ at present).

2. find the old installation:

 # which sshd
 /usr/sbin/sshd

3. This gave me the build setting for "--prefix", so:

 # cd /usr/src/openssh-3.7.1p1
 # ./configure --prefix=/usr
 # make
 (log this and check the log, or watch for flaky warnings - I got none)
 # make install
 (ditto)

If 'make install' complains about a missing 'sshd' usr and some group 
permissions, create the group and user and set those permissions _per_ 
the message.

4. Look into /etc/ssh/sshd_config and be sure you have the line
 "Protocols 2" uncommented (in other words, you've disabled SSH1 logins.

5. Now start the new animal:
 # cd /etc/rc.d/init.d
 # ./sshd stop
 # ./sshd start



6. If 'make install' regenerates the keys, your users will have to remove 
this entry in their "~/.ssh/known_hosts" and accept the new key on their 
first login. (You will learn this when your first login is refused.)

7. If you have stored the old key on clients for passwordless-logins from
this machine, you will have to update those entries too.

All told, about 1/2(+) hour on a 333MHz box, almost none of it "hands-on"  
time. Naturally if you are working over a 110Bd modem from Tulle there
will be some delay to get your sources, but that would apply to getting a
new rpm, too.

DRAWBACK: If you were using the 'rpm' before, your installation won't
match the existing RPM database. I suggest four options:

1. just remember you changed it when you check RPM integrity and currency,

2. update to the new rpm when it becomes available (and recheck your 
configuration and key files), or

3. uninstall the rpm and reinstall the newly built 'openssh' from your 
/usr/src/ directory, similarly rechecking the config and key files.

4. It's probably possible to remove one package from RPM's installation
database without actually removing the files, but I haven't done it.

If you want to install an rpm that needs 'openssh', you may have to
override its installation dependencies to make use of your non-rpm
'openssh'.

Hope that helps someone.

On Tue, 16 Sep 2003, Jonathan Rickman wrote:

> On Tuesday 16 September 2003 21:38, Jonathan Rickman wrote:
> > Not sure what's going on, since the developers remain silent.
> > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.7.1p1.tar.
> >gz
> > Yes. That's 3.7.1.
> Confirmed. You need to install this. Apparently they discovered a few more 
> potential problems. 

 - John Mills
   john.m.mills at alum.mit.edu



More information about the Ale mailing list