Skip site navigation (1)Skip section navigation (2)
Date:      26 Jun 2002 14:00:05 +0000
From:      Wayne Pascoe <freebsd@penguinpowered.org.uk>
To:        Lord Raiden <raiden23@netzero.net>
Cc:        FreeBDS-Questions <freebsd-questions@FreeBSD.ORG>
Subject:   Re: Upcoming OpenSSH vulnerability (fwd)
Message-ID:  <m21yau6syi.fsf@set.ehsrealtime.com>
In-Reply-To: <4.2.0.58.20020626084404.00a02470@pop.netzero.net>
References:  <20020625232606.C381@fishballoon.dyndns.org> <5.1.1.6.2.20020624224948.02923518@pop3s.schulte.org> <20020624234646.G22328-100000@mail.radzinschi.com> <4.2.0.58.20020625134233.009992b0@pop.netzero.net> <5.1.1.6.2.20020625124040.041c50f0@pop3s.schulte.org> <20020625205840.B381@fishballoon.dyndns.org> <20020625205928.GA50230@happy-idiot-talk.infracaninophi> <20020625232606.C381@fishballoon.dyndns.org> <4.2.0.58.20020626084404.00a02470@pop.netzero.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Lord Raiden <raiden23@netzero.net> writes:

> changes.  I just did the upgrade to 3.3p1 because of the security

Don't forget to ensure that privilege separation is enabled. The
vulnerability is only stopped by this.

> vulnerability but haven't restarted the server because it was late and
> because last time I did the upgrade I screwed something up bad enough
> I had to reboot to clear it.  (*shrug* Hey, even top admins screw up
> once in a while.  hehe)

I normally do the following:
Backup my old copy of /etc/ssh/sshd_config
Copy my new and shiny config to /etc/ssh/sshd_config 
Start a new service on port 2222 by doing
/usr/local/sbin/sshd -p2222 -f /etc/ssh/sshd_config
Then from my workstation, I ssh into this new daemon and check that it
is the new version and all is healthy by doing
ssh -v -p2222 boxname

Check the output of -v to make sure versions are correct, etc.

Then once connected to port 2222 I kill the binary listening on port
22. Do a ps auxww | grep sshd and kill the one WITHOUT -p2222 in the
command line :)

Start a new ssh daemon on port 22 by doing 
/usr/local/sbin/sshd -f /etc/ssh/sshd_config

Login to this and kill the daemon on port 2222. 

Edit my rc.conf file if required to specify sshd_program and
sshd_flags arguments.

>  >> /usr/local/etc/ssh/ssh{,d}_config exists, not being replaced!
>  >> If this is left over from another version of SSH, you will
>  >> need to update it to work with OpenSSH.
> 
> 	Now, can I assume that it's safe to ignore that, or should I
> do something to correct that and reinstall?
 
You shouldn't ignore it. Chances are that there are new directives in
the new config file (like the privilegeseparation one for example)
that you will need. I would suggest looking in the
openssh-portable/work/* directories for a sample config file and
tailoring that to match your original one, but with any new features
that you need.

HTH.

-- 
- Wayne Pascoe  -  http://www.penguinpowered.org.uk/wayne/
    Things fall apart; the centre cannot hold;
    Mere anarchy is loosed upon the world. 
    - Yeats
    

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m21yau6syi.fsf>