HPE Community
Operating System - HP-UX
1822582 Members
3493 Online
109643 Solutions
New Discussion юеВ

Re: Upgrade OpenSSH

 
Joe Despres
Advisor

тАО07-09-2002 04:37 AM

тАО07-09-2002 04:37 AM

Upgrade OpenSSH

What is the safest method to upgrade OpenSSH to 3.4 on production systems that actively use ssh? This is being done due to the latest cert advisory.

Tanks....
0 Kudos
Reply
6 REPLIES 6
Steve Steel
Honored Contributor

тАО07-09-2002 04:46 AM

тАО07-09-2002 04:46 AM

Re: Upgrade OpenSSH

Hi

If its in use it wont update so schedule time when no users.


For info

http://www.openssh.com/


Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
Joe Despres
Advisor

тАО07-09-2002 04:51 AM

тАО07-09-2002 04:51 AM

Re: Upgrade OpenSSH

hhhhhmmmmmm let me redo this. Upgrade Openssh with no one on but when they do try to connect they will succeed...

Sorry ......
0 Kudos
Reply
Daimian Woznick
Trusted Contributor

тАО07-09-2002 04:59 AM

тАО07-09-2002 04:59 AM

Re: Upgrade OpenSSH

If you are upgrading the secure shell software, the best method would be to take the server down to single user mode to ensure users do not connect. Users should not be logging in while you are updating the system like this.
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

тАО07-09-2002 05:01 AM

тАО07-09-2002 05:01 AM

Re: Upgrade OpenSSH

Hi,

During installation, because your existing sshd binary is in use, the make install (after the make) will not move the new sshd binary in place. Your existing sshd binary will continue to run.

Off my head (untested), I would think that running the following in one statement will incur minimal downtime:

# /sbin/init.d/sshd stop; mv /usr/local/sbin/sshd /usr/local/sbin/sshd.old ; mv /var/sw/openssh-3.4/sshd /usr/local/sbin/sshd; /sbin/init.d/sshd start

This stops the existing daemon, replaces it, restarts the new daemon all in one compound statement step.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Joe Despres
Advisor

тАО07-10-2002 02:57 AM

тАО07-10-2002 02:57 AM

Re: Upgrade OpenSSH

Will the users need to regenerate their key pairs after the upgrade?
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

тАО07-10-2002 06:29 PM

тАО07-10-2002 06:29 PM

Re: Upgrade OpenSSH

Hi,

As far as I can recall, the user public (default named id_rsa.pub or id_dsa.pub) and private keys (default named id_rsa or id_dsa) in the $HOME/.ssh are not removed.

On the safe side, you can write a script to perform backup and restore of these keys.

Backing up the .ssh dir:

#!/sbin/sh
cd /home
tar cvf sshkeys.tar.gz `find . -type d -name .ssh`

Restoring the .ssh dir:

#!/sbin/sh
cd /home
tar xvf sshkeys.tar.gz

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.