[ale] Remote SSH update - question from the cursed

Charles Shapiro charles.shapiro at nubridges.com
Fri Jun 28 10:30:18 EDT 2002


I've been doing a fair amount of openSSH stuff lately.  You can set
separate instances of sshd up to run on different ports with different
IDs. We accomplish it here by running two different instances of sshd
from two different scripts in /etc/init.d and /etc/rc3.d, using the "-f"
option to point them at different configuration files containing
different key directories and ports. If you use different ID files for
the different instances, of course, your client will go nuts and refuse
to connect if you hit the wrong port with it -- a minor inconvenience.

If you're outside a firewall which won't let you talk over anything but
port 22, that approach is of limited value. The only thing I can suggest
in that case is an rpm install script tested thoroughly on your home
box, then run with at(1) on the target machine. Pressing that final
<enter> key will take some cojones.

The openSSH suite is very kewl. Buy some posters  or T-shirts from the
website to support 'em. http://openssh.org 

-- CHS


On Fri, 2002-06-28 at 09:51, jenn at colormaria.com wrote:
> In most places I consider myself a reasonably competent systems admin,
> but when it comes to updating SSH (my *only* way onto most of my
> machines) I get so nervous I invariably screw it up and lock myself out
> of my machines. I live 250 miles away from most of my machines, and 700
> miles away from others.  Screwing up is a big deal.
> 
> So.  Two questions.  One, does this procedure make sense and is there a
> shorter way to do it:
> 1) open port on firewall
> 2) copy /usr/sbin/sshd to /usr/sbin/sshd_old, copy config files
> 3) run sshd_old with the copied config file on a different port
> 4) log in on different port
> 5) install new ssh to standard place, restart server, etc
> 6) close down alt sshd after verifying log in on new sshd
> 
> Two:
> I'm now in a situation where I have to manage machines that sit behind
> a very restrictive fw that I don't have control over, and it would take
> weeks to get another port opened.  Obviously above steps would fail.
> I've never been able to just make install over a running sshd, I assume
> one is not supposed to do such things.  Help??
> 
> TIA,
> jenn,
> cursed
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list