SSHD configuration file placement.
Matthew Seaman
m.seaman at infracaninophile.co.uk
Sat Sep 27 01:19:43 PDT 2003
On Fri, Sep 26, 2003 at 10:24:42PM -0400, mike at unixhideout.com wrote:
> Good day fellow FreeBSDer's
>
> I am trying to switch over from the /usr/ports/security/openssh "version"
> of sshd, to the one that comes with the base system. Being a cvsup server,
> I always have the freshest source, so for example, if I wanted to update
> sendmail, I could easily cd /usr/src/usr.sbin/sendmail, make install,
> killall -HUP sendmail and I am done. So, I am trying to do that for my
> good friend sshd. It works great, and puts the new fresh binary where its
> supposed to be. So whats the problem? For starters, and I think I know the
> answer to this one but please confirm in your reply, The port version of
> it puts a script in /usr/local/etc/rc.d/ to start it with the system. Do I
> remove that, and simply add, sshd_enable="YES" to rc.conf like almost
> everything else? (I think so.) And the REAL problem is when I do perform a
> make install for sshd, its putting the new binary where it belongs fine,
> but /etc/ssh is EMPTY. Thus, the server wont start. I have looked
> *everywhere* (except where I need to be looking.) Where can I get those
> config files from? Thanks!
I think you have pretty much a workable plan. You don't say whether
you've got console access to this machine -- I assume you do, by
reading between the lines, and that makes doing this modification a
lot easier.
To answer you questions:
Yes, you should remove the .../etc/rc.d script used to start up
the port version of sshd. Generally a port will install a sample
version of any sort of config file which you should copy into
place and edit to enable the service. That's so that a package
update *won't* trash your current setup, but if you're going to
eradicate the package entirely, then you'll have to delete those
files by hand.
Yes, enable the base version of sshd by adding the variable
assignments to /etc/rc.conf, like all system daemons.
The contents of /etc/ssh can mostly be copied from the port's
version in /usr/local/etc/ssh -- one thing that will be
particularly handy to copy over are the host public and private
keys. If you don't copy these from /usr/local/etc/ssh, then the
next time you reboot the system new host keys will be
automatically generated. That's fine and dandy, but any other
machines that people have ssh'd into your system from will have
cached a copy of the old public key, and seeing the new keys will
cause them to emit all sorts of alarming security warnings.
Once you've copied over what you want, run mergemaster to merge in
any of the system specific differences in the config files -- I
think that's pretty much just the 'VersionAddendum' in
sshd_config.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030927/ee08cf18/attachment.bin
More information about the freebsd-questions
mailing list