Re: [gentoo-user] Re: Re: SSH won't restart
On Sunday 16 September 2007 18:01:48 Alexander Skwar wrote: Key words in some circumstances. Like? Actually, I never found this to be true. Never? Good for you. Grant, the original poster would disagree (who got himself locked out due to the inability to restart sshd BTW), and so would I as it happened to me today and has done several times in the past (and also got locked out, but not today, well yesterday). -- Mike Williams -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: Re: SSH won't restart
Hi, On Sun, 16 Sep 2007 22:25:07 +0200 Alexander Skwar [EMAIL PROTECTED] wrote: A /etc/init.d/sshd stop won't kill any SSH sessions. It'll simply the sshd master process. Because of that, additional logins won't be possible. An /etc/init.d/sshd stop/restart can very well fail. Depending on in what state this happens, it might stop accepting connections. Typical conditions might be that relevant changes on-disk occurred, e.g. PAM libraries, libc or similar libs that might dl() things. OTOH, if signal handling is broken, the KILL might traverse to the connection handling forked child. And that's enough to kick you out. So I would definately prefer to always have a guaranteed working sshd running (I find OpenVPN/telnet a bit strange and an unnecessary potential security hole). Your absolutely right in that restarting immediately or delayed after logging out of all sessions doesn't matter at all. But it's wrong that it *can't* occur that you kill your current session as well. So the delay doesn't make any specific sense here. It might reduce the risk of a zombie master process of sshd, but I don't see much evidence. OTOH, you lose the possibility of fixing restart problems within the running session. So you have to weight the risks. The real problem, however, can only be overcome by another way to login. Firing up another instance of sshd (on a different port) is just a matter of one simple command, so I definately prefer that. -hwh -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: Re: SSH won't restart
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hans-Werner Hilse wrote: Hi, Hi! So I would definately prefer to always have a guaranteed working sshd running (I find OpenVPN/telnet a bit strange and an unnecessary potential security hole). If running permanently, then I agree, but I do not see the potential security hole if using a correctly designed/configured tunnel. session. So you have to weight the risks. The real problem, however, can only be overcome by another way to login. Firing up another instance of sshd (on a different port) is just a matter of one simple command, so I definately prefer that. As long as there is no issue with the sshd binary, of course :) - -- Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica Servicios Ofrecidos: http://www.buanzo.com.ar/pro/ Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG7qOfAlpOsGhXcE0RCnGRAJ9fQIcJWbai4w/Daq81DPL1iEgaEgCfWkGg Apixlnkoih+SMOPShj6SpVA= =sBTB -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: Re: SSH won't restart
Hi, On Mon, 17 Sep 2007 12:56:16 -0300 Arturo 'Buanzo' Busleiman [EMAIL PROTECTED] wrote: So I would definately prefer to always have a guaranteed working sshd running (I find OpenVPN/telnet a bit strange and an unnecessary potential security hole). If running permanently, then I agree, but I do not see the potential security hole if using a correctly designed/configured tunnel. I just prefer manual opening of access means above manual securing them. It's just about what happens if you fail -- when the task was securing, you might have a security leak, but if it was openiung access, it is still secured. It's relatively moot, since opening access is also often error prone in the sense of opening to much. I think it's personal taste :-) session. So you have to weight the risks. The real problem, however, can only be overcome by another way to login. Firing up another instance of sshd (on a different port) is just a matter of one simple command, so I definately prefer that. As long as there is no issue with the sshd binary, of course :) Yeah, but in that case you'd know it at that point, and it caused no other harm than preventing you to setting up that fallback sshd. You can then still fix it (or set up OpenVPN/telnet ;-)) using the old sshd that's still listening. Just remember not to do a killall sshd. -hwh -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: Re: SSH won't restart
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hans-Werner Hilse wrote: I just prefer manual opening of access means above manual securing them. It's just about what happens if you fail -- when the task was securing, you might have a security leak, but if it was openiung access, it is still secured. It's relatively moot, since opening access is also often error prone in the sense of opening to much. I think it's personal taste :-) All can go wrong, always. First security motto. That's why a completely parallel, special-time-only mechanism appeals me (and, of course, taste here is important, too!) Yeah, but in that case you'd know it at that point, and it caused no other harm than preventing you to setting up that fallback sshd. You can then still fix it (or set up OpenVPN/telnet ;-)) using the old sshd that's still listening. Just remember not to do a killall sshd. Yes, of course, I fully agree. I just think that providing a couple more ideas (alternatives, if you wish, for different personal tastes! :) is good. - -- Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica Servicios Ofrecidos: http://www.buanzo.com.ar/pro/ Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG7rLEAlpOsGhXcE0RCk0vAJ0X09AifEvbQLpDX6fa9Rudo12AKwCeIhXe 2M3f/HNi7F1DVvjtGeOURTE= =f2cd -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: Re: SSH won't restart
· Mike Williams [EMAIL PROTECTED]: On Sunday 16 September 2007 16:40:45 Alexander Skwar wrote: openssh, in some circumstances (I believe to be openssl changing ABI), will not restart as you found. It will only not restart when it's being actively used, so you can't do so will logged in. I've just done this on a remote system and can now happily log back in, and restart ssh without issue. Hm? I don't find this to be true. I often restart sshd by doing exactly /etc/init.d/sshd restart. While I'm remote logged in via SSH. I find, that after having done this, new settings/versions are active. Key words in some circumstances. Like? Actually, I never found this to be true. Alexander Skwar -- I hate trolls. Maybe I could metamorph it into something else -- like a ravenous, two-headed, fire-breathing dragon. -- Willow -- [EMAIL PROTECTED] mailing list
[gentoo-user] Re: Re: SSH won't restart
· Arturo 'Buanzo' Busleiman [EMAIL PROTECTED]: Graham Murray wrote: What circumstances? I too have performed updates on several remote systems via SSH and run /etc/init.d/sshd restart and never had any problems. Something like /etc/init.d/sshd test-restart would be nice. For what? It'd allow all of us to stop worrying about a potential restart/lockout issue. A /etc/init.d/sshd stop won't kill any SSH sessions. It'll simply the sshd master process. Because of that, additional logins won't be possible. Alexander Skwar -- I remember Ulysses well... Left one day for the post office to mail a letter, met a blonde named Circe on the streetcar, and didn't come back for 20 years. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Re: Re: SSH won't restart
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Alexander Skwar wrote: A /etc/init.d/sshd stop won't kill any SSH sessions. It'll simply the sshd master process. Because of that, additional logins won't be possible. You seem to believe that most people makes no mistakes. I wouldn't need test-restart (I use the one-time telnetd-over-vpn), but it seems others might find it useful. Don't like it? Don't use it! It's all about choices. More than one user here would probably agree that something that will make him feel less nervous is a good thing. - -- Arturo Buanzo Busleiman - Consultor Independiente en Seguridad Informatica Servicios Ofrecidos: http://www.buanzo.com.ar/pro/ Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG7ZkfAlpOsGhXcE0RCgloAJ0RNPTMUNbr8p5/K4/HJoCnQ3QjRgCfbgXT bjvhWIXOueInwnJK4Pme9OM= =HOzS -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
