[ale] Remote SSH update - question from the cursed

James P. Kinney III jkinney at localnetsolutions.com
Fri Jun 28 13:09:52 EDT 2002


Jerry,

I REALLY like that nohup'ed script idea for a roll back unless canceled.
That has just been added to my box of tricks for remote firewall work.

Great suggestion!!

On Fri, 2002-06-28 at 11:44, Jerry Z. Yu wrote:
> 	depends on the firewall, you may be able to sneak thru other 
> opening port, temporarily. 
> 
> 	Charles's suggestion is very valuable: QA thoroughly on a similar 
> box (ideally, a replica if you have the time and resource. I ususally do a 
> replica using full backup, for complicated or critical upgrades )	
> 
> 	Another one is to have the old RPMs readily available 
> (openssh-old-version.rpm) side by side with the new RPM packages, on
> the same machine. nohup a script to reinstate the old RPM in an hour or 
> so, in case you can't get back in thru the new SSH to disable this 
> roll-back script. This goes for personal firewall upgrade, or any other 
> potential self-inflicted DoS attack :-)
> 
> 	again, Charles's QA-it-first idea is essential to lessen the pain.
> 
> On 28 Jun 2002, Charles Shapiro wrote:
> 
> #I've been doing a fair amount of openSSH stuff lately.  You can set
> #separate instances of sshd up to run on different ports with different
> #IDs. We accomplish it here by running two different instances of sshd
> #from two different scripts in /etc/init.d and /etc/rc3.d, using the "-f"
> #option to point them at different configuration files containing
> #different key directories and ports. If you use different ID files for
> #the different instances, of course, your client will go nuts and refuse
> #to connect if you hit the wrong port with it -- a minor inconvenience.
> #
> #If you're outside a firewall which won't let you talk over anything but
> #port 22, that approach is of limited value. The only thing I can suggest
> #in that case is an rpm install script tested thoroughly on your home
> #box, then run with at(1) on the target machine. Pressing that final
> #<enter> key will take some cojones.
> #
> #The openSSH suite is very kewl. Buy some posters  or T-shirts from the
> #website to support 'em. http://openssh.org 
> #
> #-- CHS
> #
> #
> #On Fri, 2002-06-28 at 09:51, jenn at colormaria.com wrote:
> #> In most places I consider myself a reasonably competent systems admin,
> #> but when it comes to updating SSH (my *only* way onto most of my
> #> machines) I get so nervous I invariably screw it up and lock myself out
> #> of my machines. I live 250 miles away from most of my machines, and 700
> #> miles away from others.  Screwing up is a big deal.
> #> 
> #> So.  Two questions.  One, does this procedure make sense and is there a
> #> shorter way to do it:
> #> 1) open port on firewall
> #> 2) copy /usr/sbin/sshd to /usr/sbin/sshd_old, copy config files
> #> 3) run sshd_old with the copied config file on a different port
> #> 4) log in on different port
> #> 5) install new ssh to standard place, restart server, etc
> #> 6) close down alt sshd after verifying log in on new sshd
> #> 
> #> Two:
> #> I'm now in a situation where I have to manage machines that sit behind
> #> a very restrictive fw that I don't have control over, and it would take
> #> weeks to get another port opened.  Obviously above steps would fail.
> #> I've never been able to just make install over a running sshd, I assume
> #> one is not supposed to do such things.  Help??
> #> 
> #> TIA,
> #> jenn,
> #> cursed
> #> 
> #> 
> #> 
> #> ---
> #> This message has been sent through the ALE general discussion list.
> #> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> #> sent to listmaster at ale dot org.
> #> 
> #
> #
> #---
> #This message has been sent through the ALE general discussion list.
> #See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> #sent to listmaster at ale dot org.
> #
> 
> Jerry Z. Yu					+1-404-487-8544 (O)
> systems engineer				z.yu at voicecom.com
> is support, voicecom, llc			www.voicecom.com
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 




---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list