From owner-freebsd-security Tue Apr 9 9:23:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 618D537B41E for ; Tue, 9 Apr 2002 09:23:42 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id E82EA4F; Tue, 9 Apr 2002 11:23:41 -0500 (CDT) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g39GNfc48733; Tue, 9 Apr 2002 11:23:41 -0500 (CDT) (envelope-from nectar) Date: Tue, 9 Apr 2002 11:23:41 -0500 From: "Jacques A. Vidrine" To: X Philius Cc: freebsd-security@FreeBSD.ORG Subject: Re: Verifying that a security patch has done it's thing... Message-ID: <20020409162341.GL19961@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , X Philius , freebsd-security@FreeBSD.ORG References: <20020409151514.54994.qmail@web11808.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020409151514.54994.qmail@web11808.mail.yahoo.com> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 09, 2002 at 08:15:14AM -0700, X Philius wrote: > 1. How do I verify that the patch did what it was supposed to do? My > understanding is that this will not update the version flag of OpenSSH, > and so other than making sure that the patch and install etc run > without error, how do I make sure everything is cool? There is nothing special to do to verify that the patch was installed. Either you applied the patch, recompiled, and reinstalled, or you didn't. > 2. The security notice did not really say what I needed to do to make > sure that the new version of sshd was loaded in to memory after the > install. Yes, that was an oversight that we hope to avoid in the future. > On my dev machine I just rebooted (the brute force method!) > I'd rather not do the same on my prod machine. Can I run a "kill -1" on > the process while logged in via SSH? My instincts tell me that would > log me out. You can terminate the master SSH process without affecting your currently active SSH sessions. The PID of the master process is probably in /var/run/sshd.pid. You might also use `sockstat' to determine which process is listening --- look for the wildcard address `*:*' in the rightmost column. > Do I need to be local on the machine and run a "kill -1", > or do I have to actually stop sshd entirely and then restart it to load > the new binary? Truth to tell, I can reboot my prod machine as well, > but I am practicing for a day when my server is co-lo'ed elsewhere and > not available for local log ins! OpenSSH sshd responds to the HUP signal by exec'ing itself, so this should be sufficient. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message