[Previo por Fecha] [Siguiente por Fecha] [Previo por Hilo] [Siguiente por Hilo]

[Hilos de Discusión] [Fecha] [Tema] [Autor]

[Ayuda] Upgrading SSL is nothing like upgrading SSH



Anoche tuve que manejar hasta la consola de mi servidor por no habérseme
ocurrido alco tan sencillo como:
make install && /sbin/ldconfig && /usr/local/sbin/sshd ; # dentro de un
screen.....

Como creo que les puede interesar a varios, me permito copiar la
discusión completa de Slashdot. (Además no está tan larga....)

-------INICIA RECORTE DE
SLASHDOT-----------------------------------------------------
Upgrading SSL is nothing like upgrading SSH (Score:5, Interesting)
             by tzanger ({tzanger-sd} {at} {mixdown.org}) on Tue July
30, 11:07 (#3978586)
             (User #1575 Info | http://www.mixdown.org/)
             I have 18 firewalls to update (I sell these and support
them, it's a nice way to suppliment my income). I'm not
             having much luck updating them though.

             So far (on 5/7 firewalls), updating the ssl libraries
caused ssh to kick out. This is very much unlike
             upgrading ssh, where the currently running sessions would
stay active and you just kill off the 'parent' sshd
             process and restart sshd to upgrade.

             Does anyone know why upgrading the shared lib is kicking
out running sessions of ssh linked against it?
             Short of compiling sshd statically, is there any way around
this? So far all the boxes are local but I have a
             few that are quite a distance and short of enabling telnet
with a throwaway root account or statically
             compiling a temporary sshd, I'm screwed. :-)

Re:Upgrading SSL is nothing like upgrading SSH (Score:1)
             by Dimensio (darkstar AT iglou DOT com) on Tue July 30,
12:44 (#3979359)
             (User #311070 Info)
             Odd, I just updated ssl remotely via an ssh connection
(compiled against the previous libs). I then
             recompiled ssh without problem.
             [ Reply to This | Parent ]
                  Re:Upgrading SSL is nothing like upgrading SSH by
tzanger (Score:2) Tue July 30, 13:09
                       Re:Upgrading SSL is nothing like upgrading SSH by
Dimensio (Score:2) Tue July 30, 14:36
                            Re:Upgrading SSL is nothing like upgrading
SSH by tzanger (Score:2) Tue July 30, 15:52
             Re:Upgrading SSL is nothing like upgrading SSH (Score:1)
             by knuffelbeer on Tue July 30, 13:35 (#3979773)
             (User #235189 Info)
             So far (on 5/7 firewalls), updating the ssl libraries
caused ssh to kick out. This is very much unlike
             upgrading ssh, where the currently running sessions would
stay active and you just kill off the 'parent' sshd
             process and restart sshd to upgrade.

             Library upgrades may break running programs depending on
the underlying OS (I noticed this on Solaris). It
             all depends on whether the existing library get overwritten
or gets replaced (depends on cp or install used).
             This probably only happens if the library version number
isn't changed.

             A workaround would be to move the existing library aside
before you do make install. (e.g. mv
             libssl.so.0.9.6 libssl.so.0.9.6-OLD)
             [ Reply to This | Parent ]
                  Re:Upgrading SSL is nothing like upgrading SSH by
tzanger (Score:2) Tue July 30, 15:54
                       Re:Upgrading SSL is nothing like upgrading SSH by
knuffelbeer (Score:1) Tue July 30, 16:05
             Re:Upgrading SSL is nothing like upgrading SSH (Score:1)
             by Ruprickt on Tue July 30, 15:17 (#3980643)
             (User #514467 Info)
             Try copying the shared SSL library to another location,
then start a new sshd on a different port using
             LD_LIBRARY_PRELOAD. Connect to this 2nd sshd and upgrade
libSSL. Then just restart the regular sshd and
             connect, kill the 2nd sshd, and remove the copy of libssl.
             [ Reply to This | Parent ]
                  Re:Upgrading SSL is nothing like upgrading SSH by
tzanger (Score:2) Tue July 30, 16:06
             Re:Upgrading SSL is nothing like upgrading SSH (Score:1)
             by vph (vph en iNOkSPAMi fi) on Tue July 30, 15:51 (#3980961)
             (User #24726 Info | http://www.iki.fi/vph/)
             Probably your sshd fails when install overwrites
libcrypto.so. And rest of the installation is aborted. How
             about running installation under screen, so that
installation proceeds even if the conenction is terminated.
             Try (under screen) something like:

             make install && /sbin/ldconfig && /etc/init.d/sshd restart

             And when you get kicked out, just reconnect and run screen
-r...

             Also older ssh versions seem to check openssl version and
work only with the version they are compiled
             with. More recent versions do not seem to have this
feature.
             [ Reply to This | Parent ]
                  Re:Upgrading SSL is nothing like upgrading SSH by
tzanger (Score:2) Tue July 30, 15:57
             Re:Upgrading SSL is nothing like upgrading SSH (Score:2)
             by tzanger ({tzanger-sd} {at} {mixdown.org}) on Tue July
30, 13:12 (#3979615)
             (User #1575 Info | http://www.mixdown.org/)
             The deal is that the version of SSH may not support the API
OpenSSL provides in the latest patched version.
             You may have to wait for SSH to be updated to work with the
newest one.

             Interesting theory but why would a simple recompile of ssh
work then? If the API changed I would have
             thought to see compiler errors.
-------TERMINA RECORTE DE
SLASHDOT----------------------------------------------------

--
Sandino Araico Sánchez
As long as crap software is considered acceptable and people who write
crap - employable, the things will be bad and job market - overcrowded.
-- Alexander Viro



_______________________________________________
Ayuda mailing list
Ayuda en linux org mx
Para salir de la lista: http://mail.linux.org.mx/mailman/listinfo/ayuda/



[Hilos de Discusión] [Fecha] [Tema] [Autor]