HPE Community
Operating System - HP-UX
1832201 Members
2580 Online
110039 Solutions
New Discussion

Upgrading OpenSSH - are keys affected?

 
dictum9
Super Advisor

‎04-16-2007 08:11 AM

‎04-16-2007 08:11 AM

Upgrading OpenSSH - are keys affected?


I am swinstalling OpenSSH 4.4 (the version on the box is 3.5). Does this upgrade cause any downtime or do I have to do something with the private/public keys too? or The start up file, or where the sshd daemon is?
0 Kudos
Reply
2 REPLIES 2
John Payne_2
Honored Contributor

‎04-16-2007 09:02 AM

‎04-16-2007 09:02 AM

Re: Upgrading OpenSSH - are keys affected?

I'm assuming you are talking about the HPUX Secure Shell version of OpenSSH, T1471AA, since that's what I'm running and can speak to...

The upgrade stops and starts the ssh daemon. This causes a momentary "outage" where the server is not listening for connection on port 22 (Or whatever port you have ssh configured for.) This is a very brief thing.

I haven't had any problems with keys getting screwed up.

If you are using the default install, your startup and location of the stuff will not change.

I haven't had any problems with the HPUX Secure Shell upgrades since back in the 3.1 days.

Hope it helps

John
Spoon!!!!
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎04-16-2007 09:09 AM

‎04-16-2007 09:09 AM

Re: Upgrading OpenSSH - are keys affected?

Downtime will depend on how the system is used. While the upgrade is occurring, no new connections via Secure Shell will be possible since sshd is stopped. (Existing connections remain connected, however.) So, if your users don't connect via Secure Shell (ssh, scp, sftp), then chances are they won't notice any impact.

With an upgrade that significant, the system's keys will likely be regenerated. (I think the upgrades I did from 3.61 to 4.00 a couple of years ago at a previous employer did so.) User's keys won't be affected, however. You should be able to save the system keys (ssh_host_dsa_key, ssh_host_dsa_key.pub, ssh_host_key, ssh_host_key.pub, ssh_host_rsa_key, ssh_host_rsa_key.pub) and then put them back in /opt/ssh/etc if the upgrade does generate new ones. (The upgrade may even save these for you in /opt/ssh, but I don't recall for sure if it did so with the upgrades I did... and that was a few revisions ago also so things may have changed anyway.)

As for locations of start up files, config files, and binaries, the directory and file structure hasn't changed. (Note that the config files won't be changed. The new version templates are placed in /opt/ssh/newconfig/opt/ssh/etc and you'll likely need to integrate some parameters into your existing configuration because at least a couple of them have changed names and the new version may not start with the old config file as is.) Best way to find out about the changes is to read the release notes for the interim releases up to the one you're upgrading to. These can be found at:

http://docs.hp.com/en/internet.html#Secure%20Shell
--
Jeff Traigle
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.