No Reboot Necessary
About twenty minutes after the OpenSSH vulnerability[1] was discovered,
I started getting a number of messages from readers asking how to
upgrade OpenSSH (http://www.openssh.com) safely. Luckily, I already had
written an article on this very topic, assuming it'd come in useful at
some point. So here goes!
Many Linux distros are starting to ship with the OpenSSH daemon.
OpenSSH is a replacement for the insecure rlogin, rsh, rcp, ftp, x11,
and telnet protocols that offer no encryption and are vulnerable to
numerous insertion, hijacking, ip spoofing, and other attacks. OpenSSH
also has encrypted port-forwarding features that make it indispensable
at times.
Anyone with security in mind should have long since turned off telnet
and friends, and should rely on ssh for logins only. The problem occurs
when it's time to upgrade the ssh daemon. If your machines are in a
server room miles away with only SSH access, the last thing you want to
do is either break sshd during the upgrade or get in your car and go
back to the office.
Most folks don't realize that you can kill off the sshd server process
(the one that forks off copies to handle incoming connections) without
killing off any existing connections. That means you can log in, kill
off the server process, and still work on the system until you log out.
Instead, most folks think you need to upgrade and reboot so the changes
take effect. This is not the case. However, if you don't take a few
precautions, then you could find yourself in the unfortunate situation
where you've killed the old process and accidentally logged out (or,
more likely, kill all sshd processes) before starting the new daemon.
The following is my extremely paranoid procedure to ensure that I can
remain sitting in my comfy chair, legs propped on the desk, and a
bottle of caffinated beverage within easy reach. Driving to the server
room is for Windows administrators.
The following assumes your ssh etc files are in /etc/ssh, and that your
sshd binary is in /usr/sbin. Salt to taste.
1. Establish a copy of your working sshd daemon on port 9999:
server# mkdir /root/ssh-whoops
server# cd /root/ssh-whoops
server# cp -p /etc/ssh/* /usr/sbin/sshd .
server# /root/ssh-whoops/sshd -p 9999 \
-f /root/ssh-whoops/sshd_config
2. Connect to your machine on this port a few times to make sure it
works, and give you a few login sessions in case of bad things
later.
home$ ssh MACHINE -p 9999
home$ ssh MACHINE -p 9999
home$ ssh MACHINE -p 9999
home$ (repeat until paranoia satisfied)
3. Upgrade your OpenSSH software in whatever way you use.
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
