SSHD configuration file placement.

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Sep 27 01:19:43 PDT 2003 

On Fri, Sep 26, 2003 at 10:24:42PM -0400, mike at unixhideout.com wrote:
> Good day fellow FreeBSDer's
> 
> I am trying to switch over from the /usr/ports/security/openssh "version"
> of sshd, to the one that comes with the base system. Being a cvsup server,
> I always have the freshest source, so for example, if I wanted to update
> sendmail, I could easily cd /usr/src/usr.sbin/sendmail, make install,
> killall -HUP sendmail and I am done. So, I am trying to do that for my
> good friend sshd. It works great, and puts the new fresh binary where its
> supposed to be. So whats the problem? For starters, and I think I know the
> answer to this one but please confirm in your reply, The port version of
> it puts a script in /usr/local/etc/rc.d/ to start it with the system. Do I
> remove that, and simply add, sshd_enable="YES" to rc.conf like almost
> everything else? (I think so.) And the REAL problem is when I do perform a
> make install for sshd, its putting the new binary where it belongs fine,
> but /etc/ssh is EMPTY. Thus, the server wont start. I have looked
> *everywhere* (except where I need to be looking.) Where can I get those
> config files from? Thanks!

I think you have pretty much a workable plan.  You don't say whether
you've got console access to this machine -- I assume you do, by
reading between the lines, and that makes doing this modification a
lot easier.

To answer you questions:

    Yes, you should remove the .../etc/rc.d script used to start up
    the port version of sshd.  Generally a port will install a sample
    version of any sort of config file which you should copy into
    place and edit to enable the service.  That's so that a package
    update *won't* trash your current setup, but if you're going to
    eradicate the package entirely, then you'll have to delete those
    files by hand.

    Yes, enable the base version of sshd by adding the variable
    assignments to /etc/rc.conf, like all system daemons.

    The contents of /etc/ssh can mostly be copied from the port's
    version in /usr/local/etc/ssh -- one thing that will be
    particularly handy to copy over are the host public and private
    keys.  If you don't copy these from /usr/local/etc/ssh, then the
    next time you reboot the system new host keys will be
    automatically generated.  That's fine and dandy, but any other
    machines that people have ssh'd into your system from will have
    cached a copy of the old public key, and seeing the new keys will
    cause them to emit all sorts of alarming security warnings.

    Once you've copied over what you want, run mergemaster to merge in
    any of the system specific differences in the config files -- I
    think that's pretty much just the 'VersionAddendum' in
    sshd_config.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030927/ee08cf18/attachment.bin

More information about the freebsd-questions mailing list