From owner-freebsd-questions@FreeBSD.ORG Sat Sep 27 01:19:42 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0F8216A4BF for ; Sat, 27 Sep 2003 01:19:42 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E04E43FEC for ; Sat, 27 Sep 2003 01:19:40 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h8R8JTL5048700 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 27 Sep 2003 09:19:34 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id h8R8JT22048699; Sat, 27 Sep 2003 09:19:29 +0100 (BST) (envelope-from matthew) Date: Sat, 27 Sep 2003 09:19:29 +0100 From: Matthew Seaman To: mike@unixhideout.com Message-ID: <20030927081929.GA86642@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , mike@unixhideout.com, freebsd-questions@freebsd.org References: <4508.192.168.1.10.1064629482.squirrel@email.unixhideout.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UugvWAfsgieZRqgk" Content-Disposition: inline In-Reply-To: <4508.192.168.1.10.1064629482.squirrel@email.unixhideout.com> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: SSHD configuration file placement. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Sep 2003 08:19:43 -0000 --UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 26, 2003 at 10:24:42PM -0400, mike@unixhideout.com wrote: > Good day fellow FreeBSDer's >=20 > I am trying to switch over from the /usr/ports/security/openssh "version" > of sshd, to the one that comes with the base system. Being a cvsup server, > I always have the freshest source, so for example, if I wanted to update > sendmail, I could easily cd /usr/src/usr.sbin/sendmail, make install, > killall -HUP sendmail and I am done. So, I am trying to do that for my > good friend sshd. It works great, and puts the new fresh binary where its > supposed to be. So whats the problem? For starters, and I think I know the > answer to this one but please confirm in your reply, The port version of > it puts a script in /usr/local/etc/rc.d/ to start it with the system. Do I > remove that, and simply add, sshd_enable=3D"YES" to rc.conf like almost > everything else? (I think so.) And the REAL problem is when I do perform a > make install for sshd, its putting the new binary where it belongs fine, > but /etc/ssh is EMPTY. Thus, the server wont start. I have looked > *everywhere* (except where I need to be looking.) Where can I get those > config files from? Thanks! I think you have pretty much a workable plan. You don't say whether you've got console access to this machine -- I assume you do, by reading between the lines, and that makes doing this modification a lot easier. To answer you questions: Yes, you should remove the .../etc/rc.d script used to start up the port version of sshd. Generally a port will install a sample version of any sort of config file which you should copy into place and edit to enable the service. That's so that a package update *won't* trash your current setup, but if you're going to eradicate the package entirely, then you'll have to delete those files by hand. Yes, enable the base version of sshd by adding the variable assignments to /etc/rc.conf, like all system daemons. The contents of /etc/ssh can mostly be copied from the port's version in /usr/local/etc/ssh -- one thing that will be particularly handy to copy over are the host public and private keys. If you don't copy these from /usr/local/etc/ssh, then the next time you reboot the system new host keys will be automatically generated. That's fine and dandy, but any other machines that people have ssh'd into your system from will have cached a copy of the old public key, and seeing the new keys will cause them to emit all sorts of alarming security warnings. Once you've copied over what you want, run mergemaster to merge in any of the system specific differences in the config files -- I think that's pretty much just the 'VersionAddendum' in sshd_config. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --UugvWAfsgieZRqgk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/dUgRdtESqEQa7a0RAjaUAJ9ARFfsCCfMCM+wfFdHQNJVmqJWHgCeJuG0 7K2zyd5+MxMygmRmviX5Fi4= =MVRj -----END PGP SIGNATURE----- --UugvWAfsgieZRqgk--