Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
spec file
mw at moni
Mar 6, 2000, 11:45 AM
Post #1 of 5 (1043 views)
Permalink
I have looked into the spec file for the openssh rpm.
In the %preun stanza, I noticed that the currently running sshd is
stopped only when removing the package. On the other hand, it is
theoretically possible that a new version of openssh may install files
which would make the old sshd misbehave.

So I think, it is better to stop sshd every time the package is
upgraded.

Also, the %post stanza for the server package, starts sshd. But what
if the upgrade is done in single user mode? The sysV initscript does
not check if networking is up---it just seems to start the service no
matter what.

Best,

Mate

---
Mate Wierdl | Dept. of Math. Sciences | University of Memphis
Re: spec file [ In reply to ]
Nigel.Metheringham at VData
Mar 7, 2000, 1:37 AM
Post #2 of 5 (1013 views)
Permalink
mw@moni.msci.memphis.edu said:
> So I think, it is better to stop sshd every time the package is
> upgraded.

I agree - be slightly careful here in that you don't have (effectively)
a killall sshd here, because thats very embarassing if you are
upgrading a remote machine over a ssh session (I speak from experience).


> Also, the %post stanza for the server package, starts sshd. But what
> if the upgrade is done in single user mode? The sysV initscript does
> not check if networking is up---it just seems to start the service no
> matter what.

I'm unhappy about this - its a complete pain if you are installing ssh
as part of your machine build. You may also happen to be missing
decent entropy etc under these conditions. I personally modify the
spec & init.d files to do the key generation within the start part of
the init.d file. I guess if sshd *was* running then starting it again
is reasonable, otherwise do not start it.

Nigel.
--
[. - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham Nigel.Metheringham@VData.co.uk ]
[ Phone: +44 1423 850000 Fax +44 1423 858866 ]
Re: spec file [ In reply to ]
djm at mindrot
Mar 7, 2000, 2:35 AM
Post #3 of 5 (1014 views)
Permalink
On Mon, 6 Mar 2000, Mate Wierdl wrote:

> I have looked into the spec file for the openssh rpm.
> In the %preun stanza, I noticed that the currently running sshd is
> stopped only when removing the package. On the other hand, it is
> theoretically possible that a new version of openssh may install files
> which would make the old sshd misbehave.

Have a look in %post

The server is restarted whenever it is upgraded, but the config files
are not replaced. I will change this if I feel an upgrade changes
semantics sufficiently but I think it is reasonable now.

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)
Re: spec file [ In reply to ]
djm at mindrot
Mar 7, 2000, 2:36 AM
Post #4 of 5 (1012 views)
Permalink
On Tue, 7 Mar 2000, Nigel Metheringham wrote:

> > Also, the %post stanza for the server package, starts sshd. But what
> > if the upgrade is done in single user mode? The sysV initscript does
> > not check if networking is up---it just seems to start the service no
> > matter what.
>
> I'm unhappy about this - its a complete pain if you are installing ssh
> as part of your machine build. You may also happen to be missing
> decent entropy etc under these conditions. I personally modify the
> spec & init.d files to do the key generation within the start part of
> the init.d file. I guess if sshd *was* running then starting it again
> is reasonable, otherwise do not start it.

RTFS:

%post server
/sbin/chkconfig --add sshd
if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
/usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2
fi
if test -r /var/run/sshd.pid
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
then
/etc/rc.d/init.d/sshd restart >&2
fi

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)
Re: spec file [ In reply to ]
mw at moni
Mar 8, 2000, 7:21 PM
Post #5 of 5 (1020 views)
Permalink
On Tue, Mar 07, 2000 at 09:36:49PM +1100, Damien Miller wrote:
> On Tue, 7 Mar 2000, Nigel Metheringham wrote:
>
> > > Also, the %post stanza for the server package, starts sshd. But what
> > > if the upgrade is done in single user mode? The sysV initscript does
> > > not check if networking is up---it just seems to start the service no
> > > matter what.
> >
> > I'm unhappy about this - its a complete pain if you are installing ssh
> > as part of your machine build. You may also happen to be missing
> > decent entropy etc under these conditions. I personally modify the
> > spec & init.d files to do the key generation within the start part of
> > the init.d file. I guess if sshd *was* running then starting it again
> > is reasonable, otherwise do not start it.
>
> RTFS:
>
> %post server
> /sbin/chkconfig --add sshd
> if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
> /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2
> fi
> if test -r /var/run/sshd.pid
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> then
> /etc/rc.d/init.d/sshd restart >&2
> fi
>

In my case: I already had a non rpm installation of a "non open" sshd
which was running at the time of the installation. Hence I had
/var/run/sshd.pid. I wanted to install the openssh rpm to check
openssh out (run it first on a different port). If I just installed
the rpm as it is, opensshd would have been started without me having a
chance to think about configuration, etc.

Mate

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal