George,
George Dimitoglou wrote:
> I have SSH up and running on the mother machine and I would like to get
> the other hosts running SSH but the version and software from the
> 'mother' machine. I would think I would need to recompile SSH on the
> child host (to generate keys etc) but I dont seem to be certain on how
> to do it.
On hosts where you already have ssh installed, I do not think you would have
to regenerate your host keys; they can be the same, *IF* you are certain
that these keys have not been compromised, as Jason wrote:
Jason Axley wrote:
> This is a very ill-advised approach as an attacker can spoof your ssh and
> sshd binaries via the network. NFS should stand for "Not For Security"
> ;-)
At our site, we initially installed ssh in the manner you and Jason appear
to have done. Now, Jason's point is perhaps the most relevant, however
I have several other reasons for having ssh installed on each (NFS client)
host's local system disk:
1) We prefer to have our NFS clients mount /usr/local with the "nosuid"
NFS mounting option: the ssh client binaries lose the ability to
set their port to a low- numbered port (since they have no root privs
at startup.)
2) It gives me the creeps to run (as root) daemons (sshd) which are
loaded over NFS (as Jason says.)
3) In order for scp to be usable by the root acct on the client host,
scp and ssh etc must be in the client root's PATH; we do not allow
our root PATH variable to include NFS mounted areas.
4) During the process of getting our amanda backup programs fine-
tuned, I experimented with installing the amanda binaries on each
host instead of the NFS /usr/local; speeds things up dramatically
(our ethernet is for the most part still 10Mbit... ;*( ) I found
reference to this in the amanda literature with regard to the
backups failing due to timeout problems. So, I speculate that given
a degraded NFS environment (or network in general, for whatever
reason it slows to a crawl) having the ssh stuff local to each
host means routine tasks such as rsync over ssh etc would have a
better chance of functioning normally, as well as the admins
might have better connectivity to client hosts. (Well, OK, this
might be a stretch, I'm not sure...)
I suggest (in the STRONGEST of terms) that you follow Jason's advice
and develop your own local packages for easy installation on the local
system disk of each NFS client host.
Best regards,
Chris
--
Christopher Linn <[EMAIL PROTECTED]> Staff System Administrator
Center for Experimental Computation Michigan Technological University
All opinions are my own, and do not represent the opinions of my employer.
==============================================================================
"...and then i read the directions, where it said ``don't do that''." -- JRH
