All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
New openssh is broken
|
Logged in as: Guest |
Users viewing this topic: none |
|
Login |
|
|
New openssh is broken - Apr. 10, '06, 7:38:32 AM
|
|
|
steveh
Posts: 195
Joined: Jan. 23, '04,
Status: offline
|
After updating to the latest version of openssh mentioned here:
http://www.interopsystems.com/tools/tm.aspx?m=8669
I have the following problems:
1. rc scripts no longer work, on stop the pid is not found.
2. remote login no longer works.
I'm currently investigating #2 and will report more when I have it but wanted to left people know.
|
|
|
RE: New openssh is broken - Apr. 10, '06, 8:37:43 AM
|
|
|
steveh
Posts: 195
Joined: Jan. 23, '04,
Status: offline
|
ok #2 solved starting sshd from the cmd line doesnt seem to work. A full reboot after upgrade has restored functionaility.
|
|
|
RE: New openssh is broken - Apr. 10, '06, 12:43:13 PM
|
|
|
Rodney
Posts: 3714
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
For #2 were you installing as local "Administrator" or as a user in the "administrators" group ?
For #1: 'rc' scripts are usually only run at startup/boot. Which script exactly were you
trying to run and with what args?
|
|
|
RE: New openssh is broken - Apr. 10, '06, 12:55:11 PM
|
|
|
steveh
Posts: 195
Joined: Jan. 23, '04,
Status: offline
|
Administrators group.
After running the pkg_update sshd was not running so I tried to run:
/etc/rc2.d/S32sshd start
This did start but when I had issues I ran:
/etc/rc2.d/S32sshd stop
Which couldnt find the pid. Now I know the reboot cured the problem it was more than likely due to .pid file not being writeable by the current user.
A bit too used to all rc working from the command line from unix. Just one of those gotchas I suppose. Something to add the post scripts "To restore sshd you may need to reboot now!"
|
|
|
RE: New openssh is broken - Apr. 10, '06, 1:35:54 PM
|
|
|
Rodney
Posts: 3714
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
The daemon sshd must run as local administrator.
This account has the "root" power that's needed -- no other account will do.
When the system is reboot the daemon gets started with the correct user (local administrator).
There used to be a message about rebooting. Seems to have gone AWOL. I'll add it back.
|
|
|
RE: New openssh is broken - Apr. 10, '06, 1:51:13 PM
|
|
|
steveh
Posts: 195
Joined: Jan. 23, '04,
Status: offline
|
Makes sence :)
|
|
|
RE: New openssh is broken - Apr. 18, '06, 12:22:55 PM
|
|
|
Ron
Posts: 77
Joined: May 21, '03,
Status: offline
|
To more easily restart ssh I do the following...
First set up the shutdown script for sshd (Rodney, perhaps you could get the pkg install to do this?)
Do this once:
ln -s ../init.d/sshd /etc/rc2.d/K60sshd
Then to restart ssh you would run this command twice:
kill -HUP <pid of init>
The first time will cause init to run the shutdown scripts, the second time will cause init to run the startup scripts. Tah-dah, no reboot!
< Message edited by Ron -- Apr. 18, '06, 12:25:43 PM >
|
|
|
RE: New openssh is broken - Apr. 18, '06, 12:32:36 PM
|
|
|
Rodney
Posts: 3714
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
Yes, I can add that.
Though it will be K68 to keep the matching location of S32.
< Message edited by Rodney -- Apr. 18, '06, 12:38:01 PM >
|
|
|
RE: New openssh is broken - Apr. 18, '06, 2:20:23 PM
|
|
|
Ron
Posts: 77
Joined: May 21, '03,
Status: offline
|
Sorry, I should have explained myself a bit more. I wouldn't make the init restart as part of a pkg_update or pkg_add since it'll also shutdown every other rc2.d process. But perhaps the user could be prompted to see if they want to go ahead with restarting init (with a big fat warning), but the default would be to not restart init.
Thanks for adding the init pid, that would be helpfull.
|
|
|
RE: New openssh is broken - Apr. 18, '06, 3:02:45 PM
|
|
|
Rodney
Posts: 3714
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
Agreed about init restart.
I'm pondering about extending "init" to take signal USR1 as a message
to start any new scripts that have appeared since the last "start cycle".
I'm not doing this today. Just thinking about it.
Comments welcome from anyone here or in e-mail.
This is one of those chances to influence the future of the utilities for SUA/5.2/6.0.
|
|
|
RE: New openssh is broken - Apr. 18, '06, 3:14:06 PM
|
|
|
Ron
Posts: 77
Joined: May 21, '03,
Status: offline
|
That would be neat. A more direct action may be preferable where you could specify the init.d or rc2.d script, but that may not be possible via signals.
Perhaps it should be a completly different command or script. I'm thinking of something like the 'service' script in Linux where you would:
service sshd restart
-or-
service sshd stop
service sshd start
Take note that this is different from the Interix 'service' command. And we'd probably need SUID enabled for that though.
< Message edited by Ron -- Apr. 18, '06, 3:16:27 PM >
|
|
|
RE: New openssh is broken - Apr. 18, '06, 5:09:17 PM
|
|
|
Rodney
Posts: 3714
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
>That would be neat. A more direct action may be preferable where you could specify the init.d or rc2.d script, but that may not be >possible via signals.
You can't do that with a signal.
|
|
|
RE: New openssh is broken - Apr. 19, '06, 10:28:06 AM
|
|
|
woehlkmp
Posts: 102
Status: offline
|
I was thinking about Ron's idea (post #12)... especially with SUA and mixed-mode applications, would it be possible to do something like this using IPC? In other words, 'initsvc sshd start' (making up a new name here since 'service' is taken) would send an IPC to init that gave it a target and an action ('sshd' and 'start', in this example).
|
|
|
RE: New openssh is broken - Apr. 19, '06, 12:42:25 PM
|
|
|
Rodney
Posts: 3714
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
The nice thing about a signal is that only authorized processes can send a signal
to any particular process. So a process running as "joe_user" can have signals
sent to it by joe_user and Administrator but not jane_user. The signals are also
restricted to within the machine.
IPC as an AF_INET socket is not a good idea because this could be attacked by
an external source (DoS attack). So AF_UNIX or a FIFO is best to avoid an external
attack. Could open to a local attack or unauthorized access/request if the file
permissions aren't set right (must be careful there). The data stream can have
whatever you want in it of course.
Another method would be a "drop-zone" file combined with a signal. The file has the
specific information that gets read when a special signal arrives. Still an IPC,
but different. Cron works like this.
|
|
|
New Messages |
No New Messages |
Hot Topic w/ New Messages |
Hot Topic w/o New Messages |
|
Locked w/ New Messages |
Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|