[ale] Stumbled Re: Simple steps
J.M. Taylor
jtaylor at onlinea.com
Wed Sep 17 12:03:29 EDT 2003
This one has bitten me on remote boxen more than once.
Here's what I do after I build/make install on a remote machine:
1) ps -ef |grep sshd
should show a root process and me logged in (privsep makes this really
easy)
root 1234 1 0 Sep16 ? 00:00:00 /usr/local/sbin/sshd
root 4444 1234 0 12:20 ? 00:00:00 sshd: skippy [priv]
skippy 4445 4444 0 12:20 ? 00:00:00 sshd: skippy at pts/0
2) kill 1234
this will leave you logged into the machine but kill the daemon
listening for new connections.
3) start the new sshd (as root: /usr/local/sbin/sshd)
4) from a remote machine, do
ssh -v -l skippy my.patched.machine
5) the -v flag will do a verbose connection, and you should see the
version of openssh you're connecting with, as well as what version you're
connecting to.
6) If the version of sshd is the right one, and if you can log in and move
about happily, then all is well and upgrade is complete.
When I'm *really* paranoid about this, I fire up the old sshd on a
different port (cp /usr/local/sbin/sshd /usr/local/sbin/sshd.old;
/usr/local/sbin/sshd.old -p 2222)
then I log in on the *old* daemon on port 2222 and do steps 1 - 6 above.
HTH
jenn
John Mills said:
> Jim, ALErs -
>
> OUCH!
>
> On 17 Sep 2003, Jim Popovitch wrote:
>
>> On Wed, 2003-09-17 at 11:04, John Mills wrote:
>>
>> > 5. Now start the new animal:
>> > # cd /etc/rc.d/init.d
>> > # ./sshd stop
>> > # ./sshd start
>
> I had a local login and didn't think about this. A (slightly) better
> idea would have been:
> # ./sshd restart
>
> BUT this assumes the new configuration _will_ run, else you're in the
> same soup.
>
> How do we do what we probably want?
>
> 1. Login to old 'sshd' (easy)
> 2. Ensure the new 'sshd' is viable, and only then install it (???) 3.
> Kill the old 'sshd', keeping our session alive (easy, I think)
> 4. Start the new 'sshd' and start a new session through it (easy, I
> think) 4b. If the new one isn't a "keeper", fix it from the old session
> (depends) 5. Kill the old session (easy)
>
> What should step (2) be?
>
> TIA.
>
>> WARNING: "Danger Will Robinson!"
>>
>> I did something similar to this on a remote box yesterday, not knowing
>> that the sshd startup script had changed from "kill $PID" to "killall
>> $SSHD". The prior had previously killed just the server daemon, the
>> later killed all running instances... including the one I was using at
>> the time. The end result is that I now have an orphaned box out there
>> in the wild. Looking on the bright side, it is no longer susceptible
>> to openssh bugs. ;)
>
> I don't see this any differently if you update from an rpm.
>
> - John Mills
> john.m.mills at alum.mit.edu
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list