Date: Tue, 9 Apr 2002 11:23:41 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.ORG> To: X Philius <xphilius@yahoo.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Verifying that a security patch has done it's thing... Message-ID: <20020409162341.GL19961@madman.nectar.cc> In-Reply-To: <20020409151514.54994.qmail@web11808.mail.yahoo.com> References: <20020409151514.54994.qmail@web11808.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 09, 2002 at 08:15:14AM -0700, X Philius wrote: > 1. How do I verify that the patch did what it was supposed to do? My > understanding is that this will not update the version flag of OpenSSH, > and so other than making sure that the patch and install etc run > without error, how do I make sure everything is cool? There is nothing special to do to verify that the patch was installed. Either you applied the patch, recompiled, and reinstalled, or you didn't. > 2. The security notice did not really say what I needed to do to make > sure that the new version of sshd was loaded in to memory after the > install. Yes, that was an oversight that we hope to avoid in the future. > On my dev machine I just rebooted (the brute force method!) > I'd rather not do the same on my prod machine. Can I run a "kill -1" on > the process while logged in via SSH? My instincts tell me that would > log me out. You can terminate the master SSH process without affecting your currently active SSH sessions. The PID of the master process is probably in /var/run/sshd.pid. You might also use `sockstat' to determine which process is listening --- look for the wildcard address `*:*' in the rightmost column. > Do I need to be local on the machine and run a "kill -1", > or do I have to actually stop sshd entirely and then restart it to load > the new binary? Truth to tell, I can reboot my prod machine as well, > but I am practicing for a day when my server is co-lo'ed elsewhere and > not available for local log ins! OpenSSH sshd responds to the HUP signal by exec'ing itself, so this should be sufficient. Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020409162341.GL19961>