[ale] Remote SSH update - question from the cursed

Jerry Z. Yu z.yu at voicecom.com
Fri Jun 28 11:44:58 EDT 2002


	depends on the firewall, you may be able to sneak thru other 
opening port, temporarily. 

	Charles's suggestion is very valuable: QA thoroughly on a similar 
box (ideally, a replica if you have the time and resource. I ususally do a 
replica using full backup, for complicated or critical upgrades )	

	Another one is to have the old RPMs readily available 
(openssh-old-version.rpm) side by side with the new RPM packages, on
the same machine. nohup a script to reinstate the old RPM in an hour or 
so, in case you can't get back in thru the new SSH to disable this 
roll-back script. This goes for personal firewall upgrade, or any other 
potential self-inflicted DoS attack :-)

	again, Charles's QA-it-first idea is essential to lessen the pain.

On 28 Jun 2002, Charles Shapiro wrote:

#I've been doing a fair amount of openSSH stuff lately.  You can set
#separate instances of sshd up to run on different ports with different
#IDs. We accomplish it here by running two different instances of sshd
#from two different scripts in /etc/init.d and /etc/rc3.d, using the "-f"
#option to point them at different configuration files containing
#different key directories and ports. If you use different ID files for
#the different instances, of course, your client will go nuts and refuse
#to connect if you hit the wrong port with it -- a minor inconvenience.
#
#If you're outside a firewall which won't let you talk over anything but
#port 22, that approach is of limited value. The only thing I can suggest
#in that case is an rpm install script tested thoroughly on your home
#box, then run with at(1) on the target machine. Pressing that final
#<enter> key will take some cojones.
#
#The openSSH suite is very kewl. Buy some posters  or T-shirts from the
#website to support 'em. http://openssh.org 
#
#-- CHS
#
#
#On Fri, 2002-06-28 at 09:51, jenn at colormaria.com wrote:
#> In most places I consider myself a reasonably competent systems admin,
#> but when it comes to updating SSH (my *only* way onto most of my
#> machines) I get so nervous I invariably screw it up and lock myself out
#> of my machines. I live 250 miles away from most of my machines, and 700
#> miles away from others.  Screwing up is a big deal.
#> 
#> So.  Two questions.  One, does this procedure make sense and is there a
#> shorter way to do it:
#> 1) open port on firewall
#> 2) copy /usr/sbin/sshd to /usr/sbin/sshd_old, copy config files
#> 3) run sshd_old with the copied config file on a different port
#> 4) log in on different port
#> 5) install new ssh to standard place, restart server, etc
#> 6) close down alt sshd after verifying log in on new sshd
#> 
#> Two:
#> I'm now in a situation where I have to manage machines that sit behind
#> a very restrictive fw that I don't have control over, and it would take
#> weeks to get another port opened.  Obviously above steps would fail.
#> I've never been able to just make install over a running sshd, I assume
#> one is not supposed to do such things.  Help??
#> 
#> TIA,
#> jenn,
#> cursed
#> 
#> 
#> 
#> ---
#> This message has been sent through the ALE general discussion list.
#> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
#> sent to listmaster at ale dot org.
#> 
#
#
#---
#This message has been sent through the ALE general discussion list.
#See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
#sent to listmaster at ale dot org.
#

Jerry Z. Yu					+1-404-487-8544 (O)
systems engineer				z.yu at voicecom.com
is support, voicecom, llc			www.voicecom.com


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list