From owner-freebsd-questions Wed Jun 26 5:56:17 2002 Delivered-To: freebsd-questions@freebsd.org Received: from clientmail.ehsrealtime.com (eris.ehsrealtime.com [213.52.146.130]) by hub.freebsd.org (Postfix) with ESMTP id 355C137B405 for ; Wed, 26 Jun 2002 05:56:10 -0700 (PDT) Received: from set.ehsrealtime.com ([213.52.146.197]) by clientmail.ehsrealtime.com with esmtp (Exim 3.33 #2) id 17NCKt-000JB1-01; Wed, 26 Jun 2002 13:55:51 +0100 Received: from waynep by set.ehsrealtime.com with local (Exim 3.34 #1) id 17NDL3-0000JJ-00; Wed, 26 Jun 2002 14:00:05 +0000 From: Wayne Pascoe To: Lord Raiden Cc: FreeBDS-Questions Subject: Re: Upcoming OpenSSH vulnerability (fwd) References: <20020625232606.C381@fishballoon.dyndns.org> <5.1.1.6.2.20020624224948.02923518@pop3s.schulte.org> <20020624234646.G22328-100000@mail.radzinschi.com> <4.2.0.58.20020625134233.009992b0@pop.netzero.net> <5.1.1.6.2.20020625124040.041c50f0@pop3s.schulte.org> <20020625205840.B381@fishballoon.dyndns.org> <20020625205928.GA50230@happy-idiot-talk.infracaninophi> <20020625232606.C381@fishballoon.dyndns.org> <4.2.0.58.20020626084404.00a02470@pop.netzero.net> Date: 26 Jun 2002 14:00:05 +0000 In-Reply-To: <4.2.0.58.20020626084404.00a02470@pop.netzero.net> Message-ID: Lines: 57 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Civil Service) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Lord Raiden writes: > changes. I just did the upgrade to 3.3p1 because of the security Don't forget to ensure that privilege separation is enabled. The vulnerability is only stopped by this. > vulnerability but haven't restarted the server because it was late and > because last time I did the upgrade I screwed something up bad enough > I had to reboot to clear it. (*shrug* Hey, even top admins screw up > once in a while. hehe) I normally do the following: Backup my old copy of /etc/ssh/sshd_config Copy my new and shiny config to /etc/ssh/sshd_config Start a new service on port 2222 by doing /usr/local/sbin/sshd -p2222 -f /etc/ssh/sshd_config Then from my workstation, I ssh into this new daemon and check that it is the new version and all is healthy by doing ssh -v -p2222 boxname Check the output of -v to make sure versions are correct, etc. Then once connected to port 2222 I kill the binary listening on port 22. Do a ps auxww | grep sshd and kill the one WITHOUT -p2222 in the command line :) Start a new ssh daemon on port 22 by doing /usr/local/sbin/sshd -f /etc/ssh/sshd_config Login to this and kill the daemon on port 2222. Edit my rc.conf file if required to specify sshd_program and sshd_flags arguments. > >> /usr/local/etc/ssh/ssh{,d}_config exists, not being replaced! > >> If this is left over from another version of SSH, you will > >> need to update it to work with OpenSSH. > > Now, can I assume that it's safe to ignore that, or should I > do something to correct that and reinstall? You shouldn't ignore it. Chances are that there are new directives in the new config file (like the privilegeseparation one for example) that you will need. I would suggest looking in the openssh-portable/work/* directories for a sample config file and tailoring that to match your original one, but with any new features that you need. HTH. -- - Wayne Pascoe - http://www.penguinpowered.org.uk/wayne/ Things fall apart; the centre cannot hold; Mere anarchy is loosed upon the world. - Yeats To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message