[gentoo-user] SSH won't restart

[gentoo-user] SSH won't restart

[Grant]

I just upgraded ssh and when I try to restart I get:

* Stopping sshd ... [ !! ]

I don't see anything about it in '/var/log/sshd/current'.  How can I
figure out what is wrong?  I'm a little nervous because I don't want
to shut myself out of this remote server.

I also noticed many "POSSIBLE BREAK-IN ATTEMPT!" log entries for
usernames that don't exist.  Anything I should do about that?

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Alex Schuster]

Grant writes:

> I just upgraded ssh and when I try to restart I get:
>
> * Stopping sshd ... [ !! ]
>
> I don't see anything about it in '/var/log/sshd/current'.  How can I
> figure out what is wrong?  I'm a little nervous because I don't want
> to shut myself out of this remote server.

Uh-oh! I know how you feel, I also administrate remote servers. Is there 
a /var/sun/sshd.pid containing the PID of the running sshd process (you can 
get it via "pidof sshd")? Maybe it's missing, this would explain the 
failure to stop.

If you think the upgrade is necessary and don't want to wait until you or 
s.o. else has physical access in case sshd doesn't come up again, you could 
try to restart sshd manually by issuing a "kill -SIGHUP $( pidof sshd )". 

> I also noticed many "POSSIBLE BREAK-IN ATTEMPT!" log entries for
> usernames that don't exist.  Anything I should do about that?

I emerged failtoban recently. This allows to monitor ssh attacks (also for 
other services like ftp and courier), and denies the attacker's IP for a 
while after some login failures. This keeps sshd logs short and enhances 
security, in case there are users with simple passwords. Some days ago I 
received 34 emails from fail2ban telling me about nightly couriersmtp 
breakin attempts.
It does nt work out-of-the-box, but isn't too hard to configure. There are 
some howtos, but be sure to read current ones, the configuration was 
changed somewhere between version 0.6 and 0.8. I can mail you my configs if 
you are interested.

	Alex
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Josh Cepek]

[-- Attachment #1.1: Type: text/plain, Size: 1505 bytes --]

Grant wrote:
> I just upgraded ssh and when I try to restart I get:
>
> * Stopping sshd ... [ !! ]
>
> I don't see anything about it in '/var/log/sshd/current'.  How can I
> figure out what is wrong?  I'm a little nervous because I don't want
> to shut myself out of this remote server.
>   

I had a similar issue after a previous update to ssh when I went to
restart it to get it to use the new binaries.  One of the nice features
of sshd is that your current session will say active even if you kill
the sshd daemon process.  Of course, if you get disconnected then you
will not be able to log back in, so it's good to do what you need to
quickly if you do need to kill (or if it's really stuck, kill -9) the
process.  When I had this problem I issued a `kill -9 PID_NUMBER &&
/etc/init.d/sshd start` - just be *sure* that you're killing the
/usr/sbin/sshd process and not one of your sshd login forks at the same
time.

Alex Schuster wrote:
> If you think the upgrade is necessary and don't want to wait until you or
> s.o. else has physical access in case sshd doesn't come up again, you
> could
> try to restart sshd manually by issuing a "kill -SIGHUP $( pidof sshd )".


I don't recommend doing this as it will also kill your current ssh
session.  If for some reason the SIGHUP doesn't take correctly on the
listening daemon you will find yourself locked and kicked out of the
server.  Use top or htop to determine the actual PID of the daemon only.

-- 
Josh


[-- Attachment #1.2: Type: text/html, Size: 2004 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] SSH won't restart

[Alex Schuster]

Josh Cepek writes:

> I had a similar issue after a previous update to ssh when I went to
> restart it to get it to use the new binaries.  One of the nice features
> of sshd is that your current session will say active even if you kill
> the sshd daemon process.  Of course, if you get disconnected then you
> will not be able to log back in, so it's good to do what you need to
> quickly if you do need to kill (or if it's really stuck, kill -9) the
> process.  When I had this problem I issued a `kill -9 PID_NUMBER &&
> /etc/init.d/sshd start` - just be *sure* that you're killing the
> /usr/sbin/sshd process and not one of your sshd login forks at the same
> time.
>
> Alex Schuster wrote:
> > If you think the upgrade is necessary and don't want to wait until you
> > or s.o. else has physical access in case sshd doesn't come up again,
> > you could
> > try to restart sshd manually by issuing a "kill -SIGHUP $( pidof sshd
> > )".
>
> I don't recommend doing this as it will also kill your current ssh
> session.  If for some reason the SIGHUP doesn't take correctly on the
> listening daemon you will find yourself locked and kicked out of the
> server.  Use top or htop to determine the actual PID of the daemon only.

Oh, whoops! Big mistake, you are right - sorry for that, this was bad 
advice. I did not think about these other sshd processes. Thanks for being 
watchful and pointing this out.
Still, I would prefer -HUP instead of -9, as this would make the sshd server 
restart itself. Just in case /etc/init.d/sshd start also makes trouble - it 
really shouldn't, but neither should /etc/init.d/sshd stop.

	Alex
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Dan Farrell]

On Sat, 8 Sep 2007 22:50:20 +0200
Alex Schuster <wonko@wonkology.org> wrote:

> Josh Cepek writes:
> 
> > I had a similar issue after a previous update to ssh when I went to
> > restart it to get it to use the new binaries.  One of the nice
> > features of sshd is that your current session will say active even
> > if you kill the sshd daemon process.  Of course, if you get
> > disconnected then you will not be able to log back in, so it's good
> > to do what you need to quickly if you do need to kill (or if it's
> > really stuck, kill -9) the process.  When I had this problem I
> > issued a `kill -9 PID_NUMBER && /etc/init.d/sshd start` - just be
> > *sure* that you're killing the /usr/sbin/sshd process and not one
> > of your sshd login forks at the same time.
> >
> > Alex Schuster wrote:
> > > If you think the upgrade is necessary and don't want to wait
> > > until you or s.o. else has physical access in case sshd doesn't
> > > come up again, you could
> > > try to restart sshd manually by issuing a "kill -SIGHUP $( pidof
> > > sshd )".
> >
> > I don't recommend doing this as it will also kill your current ssh
> > session.  If for some reason the SIGHUP doesn't take correctly on
> > the listening daemon you will find yourself locked and kicked out
> > of the server.  Use top or htop to determine the actual PID of the
> > daemon only.
> 
> Oh, whoops! Big mistake, you are right - sorry for that, this was bad 
> advice. I did not think about these other sshd processes. Thanks for
> being watchful and pointing this out.
> Still, I would prefer -HUP instead of -9, as this would make the sshd
> server restart itself. Just in case /etc/init.d/sshd start also makes
> trouble - it really shouldn't, but neither should /etc/init.d/sshd
> stop.
> 
> 	Alex

Don't forget that you could potentially test out the new server on a
different port, and then if you can log in there you can
use that connection to kill the other sshd, and then you can restart
the normal sshd, and then kill the temporary sshd.  I recommend this
method highly as it gives you another way to get in should something go
wrong.  Just remember not to 'killall sshd'!
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Grant]

>  I just upgraded ssh and when I try to restart I get:
>
> * Stopping sshd ... [ !! ]
>
> I don't see anything about it in '/var/log/sshd/current'. How can I
> figure out what is wrong? I'm a little nervous because I don't want
> to shut myself out of this remote server.
>
>
>  I had a similar issue after a previous update to ssh when I went to restart
> it to get it to use the new binaries.  One of the nice features of sshd is
> that your current session will say active even if you kill the sshd daemon
> process.  Of course, if you get disconnected then you will not be able to
> log back in, so it's good to do what you need to quickly if you do need to
> kill (or if it's really stuck, kill -9) the process.  When I had this
> problem I issued a `kill -9 PID_NUMBER && /etc/init.d/sshd start` - just be
> sure that you're killing the /usr/sbin/sshd process and not one of your sshd
> login forks at the same time.

OK, I've got to be really careful here.  I see the following processes
in 'ps -ef':

root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd
root      7573  2988  0 07:28 ?        00:00:00 sshd: root@pts/0

Should I:

kill -9 2988 && /etc/init.d/sshd start

Are you sure?  :)

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Dan Farrell]

On Mon, 10 Sep 2007 09:58:53 -0700
Grant <emailgrant@gmail.com> wrote:

> OK, I've got to be really careful here.  I see the following processes
> in 'ps -ef':
> 
> root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd
> root      7573  2988  0 07:28 ?        00:00:00 sshd: root@pts/0
> 
> Should I:
> 
> kill -9 2988 && /etc/init.d/sshd start
> 
> Are you sure?  :)

It worked for me, I tested it.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Stephen Wittig]

This process is the ssh daemon:
root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd

Two things: before killing the process with the KILL signal, I would
try killing it with TERM
kill -TERM 2988

If that doesn't work then kill the process with the KILL signal.

I would also use:
/etc/init.d/sshd restart

This will give the init script a chance to do some cleanup work before
restarting

-Best of Luck, Stephen

On 9/10/07, Grant <emailgrant@gmail.com> wrote:
> >  I just upgraded ssh and when I try to restart I get:
> >
> > * Stopping sshd ... [ !! ]
> >
> > I don't see anything about it in '/var/log/sshd/current'. How can I
> > figure out what is wrong? I'm a little nervous because I don't want
> > to shut myself out of this remote server.
> >
> >
> >  I had a similar issue after a previous update to ssh when I went to restart
> > it to get it to use the new binaries.  One of the nice features of sshd is
> > that your current session will say active even if you kill the sshd daemon
> > process.  Of course, if you get disconnected then you will not be able to
> > log back in, so it's good to do what you need to quickly if you do need to
> > kill (or if it's really stuck, kill -9) the process.  When I had this
> > problem I issued a `kill -9 PID_NUMBER && /etc/init.d/sshd start` - just be
> > sure that you're killing the /usr/sbin/sshd process and not one of your sshd
> > login forks at the same time.
>
> OK, I've got to be really careful here.  I see the following processes
> in 'ps -ef':
>
> root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd
> root      7573  2988  0 07:28 ?        00:00:00 sshd: root@pts/0
>
> Should I:
>
> kill -9 2988 && /etc/init.d/sshd start
>
> Are you sure?  :)
>
> - Grant
> --
> gentoo-user@gentoo.org mailing list
>
>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Grant]

> This process is the ssh daemon:
> root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd
>
> Two things: before killing the process with the KILL signal, I would
> try killing it with TERM
> kill -TERM 2988
>
> If that doesn't work then kill the process with the KILL signal.
>
> I would also use:
> /etc/init.d/sshd restart
>
> This will give the init script a chance to do some cleanup work before
> restarting

Do this:

kill -TERM 2988 && /etc/init.d/sshd restart

and if that doesn't work, do:

kill -9 2988 && /etc/init.d/sshd restart

?

- Grant


> > >  I just upgraded ssh and when I try to restart I get:
> > >
> > > * Stopping sshd ... [ !! ]
> > >
> > > I don't see anything about it in '/var/log/sshd/current'. How can I
> > > figure out what is wrong? I'm a little nervous because I don't want
> > > to shut myself out of this remote server.
> > >
> > >
> > >  I had a similar issue after a previous update to ssh when I went to restart
> > > it to get it to use the new binaries.  One of the nice features of sshd is
> > > that your current session will say active even if you kill the sshd daemon
> > > process.  Of course, if you get disconnected then you will not be able to
> > > log back in, so it's good to do what you need to quickly if you do need to
> > > kill (or if it's really stuck, kill -9) the process.  When I had this
> > > problem I issued a `kill -9 PID_NUMBER && /etc/init.d/sshd start` - just be
> > > sure that you're killing the /usr/sbin/sshd process and not one of your sshd
> > > login forks at the same time.
> >
> > OK, I've got to be really careful here.  I see the following processes
> > in 'ps -ef':
> >
> > root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd
> > root      7573  2988  0 07:28 ?        00:00:00 sshd: root@pts/0
> >
> > Should I:
> >
> > kill -9 2988 && /etc/init.d/sshd start
> >
> > Are you sure?  :)
> >
> > - Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Stephen Wittig]

Yes. As a personal preference I don't usually chain commands together
when trouble shooting something, but there is technically nothing
wrong with doing so.

-Stephen


On 9/10/07, Grant <emailgrant@gmail.com> wrote:
> > This process is the ssh daemon:
> > root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd
> >
> > Two things: before killing the process with the KILL signal, I would
> > try killing it with TERM
> > kill -TERM 2988
> >
> > If that doesn't work then kill the process with the KILL signal.
> >
> > I would also use:
> > /etc/init.d/sshd restart
> >
> > This will give the init script a chance to do some cleanup work before
> > restarting
>
> Do this:
>
> kill -TERM 2988 && /etc/init.d/sshd restart
>
> and if that doesn't work, do:
>
> kill -9 2988 && /etc/init.d/sshd restart
>
> ?
>
> - Grant
>
>
> > > >  I just upgraded ssh and when I try to restart I get:
> > > >
> > > > * Stopping sshd ... [ !! ]
> > > >
> > > > I don't see anything about it in '/var/log/sshd/current'. How can I
> > > > figure out what is wrong? I'm a little nervous because I don't want
> > > > to shut myself out of this remote server.
> > > >
> > > >
> > > >  I had a similar issue after a previous update to ssh when I went to restart
> > > > it to get it to use the new binaries.  One of the nice features of sshd is
> > > > that your current session will say active even if you kill the sshd daemon
> > > > process.  Of course, if you get disconnected then you will not be able to
> > > > log back in, so it's good to do what you need to quickly if you do need to
> > > > kill (or if it's really stuck, kill -9) the process.  When I had this
> > > > problem I issued a `kill -9 PID_NUMBER && /etc/init.d/sshd start` - just be
> > > > sure that you're killing the /usr/sbin/sshd process and not one of your sshd
> > > > login forks at the same time.
> > >
> > > OK, I've got to be really careful here.  I see the following processes
> > > in 'ps -ef':
> > >
> > > root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd
> > > root      7573  2988  0 07:28 ?        00:00:00 sshd: root@pts/0
> > >
> > > Should I:
> > >
> > > kill -9 2988 && /etc/init.d/sshd start
> > >
> > > Are you sure?  :)
> > >
> > > - Grant
> --
> gentoo-user@gentoo.org mailing list
>
>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Grant]

> Yes. As a personal preference I don't usually chain commands together
> when trouble shooting something, but there is technically nothing
> wrong with doing so.

And now I'm locked out.  What do you think guys?

- Grant


> > > This process is the ssh daemon:
> > > root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd
> > >
> > > Two things: before killing the process with the KILL signal, I would
> > > try killing it with TERM
> > > kill -TERM 2988
> > >
> > > If that doesn't work then kill the process with the KILL signal.
> > >
> > > I would also use:
> > > /etc/init.d/sshd restart
> > >
> > > This will give the init script a chance to do some cleanup work before
> > > restarting
> >
> > Do this:
> >
> > kill -TERM 2988 && /etc/init.d/sshd restart
> >
> > and if that doesn't work, do:
> >
> > kill -9 2988 && /etc/init.d/sshd restart
> >
> > ?
> >
> > - Grant
> >
> >
> > > > >  I just upgraded ssh and when I try to restart I get:
> > > > >
> > > > > * Stopping sshd ... [ !! ]
> > > > >
> > > > > I don't see anything about it in '/var/log/sshd/current'. How can I
> > > > > figure out what is wrong? I'm a little nervous because I don't want
> > > > > to shut myself out of this remote server.
> > > > >
> > > > >
> > > > >  I had a similar issue after a previous update to ssh when I went to restart
> > > > > it to get it to use the new binaries.  One of the nice features of sshd is
> > > > > that your current session will say active even if you kill the sshd daemon
> > > > > process.  Of course, if you get disconnected then you will not be able to
> > > > > log back in, so it's good to do what you need to quickly if you do need to
> > > > > kill (or if it's really stuck, kill -9) the process.  When I had this
> > > > > problem I issued a `kill -9 PID_NUMBER && /etc/init.d/sshd start` - just be
> > > > > sure that you're killing the /usr/sbin/sshd process and not one of your sshd
> > > > > login forks at the same time.
> > > >
> > > > OK, I've got to be really careful here.  I see the following processes
> > > > in 'ps -ef':
> > > >
> > > > root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd
> > > > root      7573  2988  0 07:28 ?        00:00:00 sshd: root@pts/0
> > > >
> > > > Should I:
> > > >
> > > > kill -9 2988 && /etc/init.d/sshd start
> > > >
> > > > Are you sure?  :)
> > > >
> > > > - Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Dan Farrell]

On Mon, 10 Sep 2007 12:12:13 -0700
Grant <emailgrant@gmail.com> wrote:

> > Yes. As a personal preference I don't usually chain commands
> > together when trouble shooting something, but there is technically
> > nothing wrong with doing so.
> 
> And now I'm locked out.  What do you think guys?
> 
> - Grant
> 

Is your ssh session still open?  
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Grant]

> > > Yes. As a personal preference I don't usually chain commands
> > > together when trouble shooting something, but there is technically
> > > nothing wrong with doing so.
> >
> > And now I'm locked out.  What do you think guys?
> >
> > - Grant
> >
>
> Is your ssh session still open?

I wish. :)  100% locked out.  Connection refused.

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Dan Farrell]

On Mon, 10 Sep 2007 12:23:37 -0700
Grant <emailgrant@gmail.com> wrote:

> My host is pretty good about issuing commands for me.  Any ideas
> there?
> 
> - Grant
start sshd manually to get back in.  something like '/usr/bin/sshd -p 3'
(that would listen on port 3 for ssh connections)
("absolute path is necessary for re-exec")

I still don't know what happened; here's what I can do:
===================================================================
dan@pascal ~ $ ssh root@davey
Last login: Mon Sep 10 14:23:18 2007 from pascal.spore.ath.cx
davey ~ # ps -eaf | grep sshd
root     28869     1  0 14:23 ?        00:00:00 /usr/sbin/sshd
root     29147 28869  0 14:34 ?        00:00:00 sshd: root@pts/0 
root     29173 29152  0 14:34 pts/0    00:00:00 grep --colour=auto sshd
davey ~ # kill -9 28869
davey ~ # ps -eaf | grep sshd
root     29147     1  0 14:34 ?        00:00:00 sshd: root@pts/0 
root     29186 29152  0 14:35 pts/0    00:00:00 grep --colour=auto sshd
davey ~ # /etc/init.d/sshd restart
 * Stopping
sshd ...                                                      [ !! ]
davey ~ # /etc/init.d/sshd zap         
 * Manually resetting sshd to stopped state.
davey ~ # /etc/init.d/sshd start
 * Starting
sshd ...                                                      [ ok ]
davey ~ # exit logout
Connection to davey closed.
dan@pascal ~ $ ssh root@davey 
Last login: Mon Sep 10 14:34:26 2007 from pascal.spore.ath.cx
davey ~ # exit
logout
Connection to davey closed.
dan@pascal ~ $ 
=====================================================================
as you can see, it worked fine for me.  I even make sure to use -9.  

good luck, grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Grant]

> > My host is pretty good about issuing commands for me.  Any ideas
> > there?
> >
> > - Grant
> start sshd manually to get back in.  something like '/usr/bin/sshd -p 3'
> (that would listen on port 3 for ssh connections)
> ("absolute path is necessary for re-exec")
>
> I still don't know what happened; here's what I can do:
> ===================================================================
> dan@pascal ~ $ ssh root@davey
> Last login: Mon Sep 10 14:23:18 2007 from pascal.spore.ath.cx
> davey ~ # ps -eaf | grep sshd
> root     28869     1  0 14:23 ?        00:00:00 /usr/sbin/sshd
> root     29147 28869  0 14:34 ?        00:00:00 sshd: root@pts/0
> root     29173 29152  0 14:34 pts/0    00:00:00 grep --colour=auto sshd
> davey ~ # kill -9 28869
> davey ~ # ps -eaf | grep sshd
> root     29147     1  0 14:34 ?        00:00:00 sshd: root@pts/0
> root     29186 29152  0 14:35 pts/0    00:00:00 grep --colour=auto sshd
> davey ~ # /etc/init.d/sshd restart
>  * Stopping
> sshd ...                                                      [ !! ]
> davey ~ # /etc/init.d/sshd zap
>  * Manually resetting sshd to stopped state.
> davey ~ # /etc/init.d/sshd start
>  * Starting
> sshd ...                                                      [ ok ]
> davey ~ # exit logout
> Connection to davey closed.
> dan@pascal ~ $ ssh root@davey
> Last login: Mon Sep 10 14:34:26 2007 from pascal.spore.ath.cx
> davey ~ # exit
> logout
> Connection to davey closed.
> dan@pascal ~ $
> =====================================================================
> as you can see, it worked fine for me.  I even make sure to use -9.
>
> good luck, grant

Thank you but doesn't it look like there must be a problem that is
preventing my sshd from starting?  Won't '/usr/bin/sshd -p 3' just
fail, or is that more likely to work than '/etc/init.d/sshd start'?

Also, is '/usr/bin/sshd' sufficient?  Why not port 22?

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Daniel da Veiga]

If there's a problem with ssh, then you're pretty much stuck with
using other remote terminal tool to fix it, else, you can simply kill
the process, delete the PID file, then "/etc/init.d/sshd zap" and
"/etc/init.d/sshd restart", or "start", anyway... (I guess your host
could easily issue this commands for you).
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Grant]

> If there's a problem with ssh, then you're pretty much stuck with
> using other remote terminal tool to fix it, else, you can simply kill
> the process, delete the PID file, then "/etc/init.d/sshd zap" and
> "/etc/init.d/sshd restart", or "start", anyway... (I guess your host
> could easily issue this commands for you).

What about just having them reboot and start my manual daemon?  Would
that accomplish the same thing?

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Daniel da Veiga]

On 9/10/07, Grant <emailgrant@gmail.com> wrote:
> > If there's a problem with ssh, then you're pretty much stuck with
> > using other remote terminal tool to fix it, else, you can simply kill
> > the process, delete the PID file, then "/etc/init.d/sshd zap" and
> > "/etc/init.d/sshd restart", or "start", anyway... (I guess your host
> > could easily issue this commands for you).
>
> What about just having them reboot and start my manual daemon?  Would
> that accomplish the same thing?
>

I guess so, but while your machine reboot all services go down, can
you afford this downtime? If yes, well... If no, you may try
alternatives such as my suggestion above :D
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Dan Farrell]

On Mon, 10 Sep 2007 13:48:12 -0700
Grant <emailgrant@gmail.com> wrote:

> What about just having them reboot and start my manual daemon?  Would
> that accomplish the same thing?

That would probably work too, but I don't think rebooting is likely to
help.  At the very best it's an additional waiting period before the
box is back up.  
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Dan Farrell]

On Mon, 10 Sep 2007 13:14:20 -0700
Grant <emailgrant@gmail.com> wrote:

> Thank you but doesn't it look like there must be a problem that is
> preventing my sshd from starting?  Won't '/usr/bin/sshd -p 3' just
> fail, or is that more likely to work than '/etc/init.d/sshd start'?
It seems to me that the problem is probably the initscript is confused,
and not that the config files are bad and the daemon can't start.  

> Also, is '/usr/bin/sshd' sufficient?  Why not port 22?
It is.  No reason at all.   But if you started it before the original
ssh server had been stopped, you'd have to start it on a different port
so that it didn't conflict with the original.  
> - Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Grant]

> > Thank you but doesn't it look like there must be a problem that is
> > preventing my sshd from starting?  Won't '/usr/bin/sshd -p 3' just
> > fail, or is that more likely to work than '/etc/init.d/sshd start'?
> It seems to me that the problem is probably the initscript is confused,
> and not that the config files are bad and the daemon can't start.
>
> > Also, is '/usr/bin/sshd' sufficient?  Why not port 22?
> It is.  No reason at all.   But if you started it before the original
> ssh server had been stopped, you'd have to start it on a different port
> so that it didn't conflict with the original.

Guys, I'm in!  I had my host execute:

sshd

and now I'm logged in, the sshd initscript was already running, and it
restarts perfectly.  All is well!  Thank you for your help!

How does my host get root access like that?

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Hans-Werner Hilse]

Hi,

On Tue, 11 Sep 2007 12:30:56 -0700
Grant <emailgrant@gmail.com> wrote:

> How does my host get root access like that?

Different possibilities, but hardware access in most cases means root
access (although maybe only to encrypted partitions...).

Easiest: Reboot (CTRL-ALT-DEL, no password needed), change kernel
command line in boot loader to 
"/boot/mykernel root=/dev/whatever init=/bin/bash"

And that's it, basically. The admin could have made a backup
of /etc/shadow, resetted root password, rebooted into normal system,
restored /etc/shadow.

If it is a virtual server, this might be even easier.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Boyd Stephen Smith Jr.]

[-- Attachment #1: Type: text/plain, Size: 548 bytes --]

On Tuesday 11 September 2007, Grant <emailgrant@gmail.com> wrote about 'Re: 
[gentoo-user] SSH won't restart':
>How does my host get root access like that?

Physical access to the box = root in many cases.
Also, if it's some vserver type setup, root on the host can get root access 
on the guest machines.

-- 
Boyd Stephen Smith Jr.                     ,= ,-_-. =. 
bss03@volumehost.net                      ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy           `-'(. .)`-' 
http://iguanasuicide.org/                      \_/     

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] SSH won't restart

[Grant]

> >How does my host get root access like that?
>
> Physical access to the box = root in many cases.
> Also, if it's some vserver type setup, root on the host can get root access
> on the guest machines.

Ok, thanks again everyone.

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Dan Farrell]

On Tue, 11 Sep 2007 12:30:56 -0700
Grant <emailgrant@gmail.com> wrote:

> How does my host get root access like that?
> 
> - Grant
> 

Auto-logged in console, perhaps?  Or access to the filesystem on a
locally administered fileserver or something?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Stephen Wittig]

I think that there may be something significantly wrong with your box
(or configuration of sshd). I have never had a server disconnect an
active connection when killing the ssh daemon.

If there is someone that you can contact in the data center I would ask them to:
1) Backup your current sshd_config file
2) Restore the default sshd_config on the box, and then try restart the daemon

Are there any other applications that are not behaving correctly?

-Stephen

On 9/10/07, Grant <emailgrant@gmail.com> wrote:
> > Yes. As a personal preference I don't usually chain commands together
> > when trouble shooting something, but there is technically nothing
> > wrong with doing so.
>
> And now I'm locked out.  What do you think guys?
>
> - Grant
>
>
> > > > This process is the ssh daemon:
> > > > root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd
> > > >
> > > > Two things: before killing the process with the KILL signal, I would
> > > > try killing it with TERM
> > > > kill -TERM 2988
> > > >
> > > > If that doesn't work then kill the process with the KILL signal.
> > > >
> > > > I would also use:
> > > > /etc/init.d/sshd restart
> > > >
> > > > This will give the init script a chance to do some cleanup work before
> > > > restarting
> > >
> > > Do this:
> > >
> > > kill -TERM 2988 && /etc/init.d/sshd restart
> > >
> > > and if that doesn't work, do:
> > >
> > > kill -9 2988 && /etc/init.d/sshd restart
> > >
> > > ?
> > >
> > > - Grant
> > >
> > >
> > > > > >  I just upgraded ssh and when I try to restart I get:
> > > > > >
> > > > > > * Stopping sshd ... [ !! ]
> > > > > >
> > > > > > I don't see anything about it in '/var/log/sshd/current'. How can I
> > > > > > figure out what is wrong? I'm a little nervous because I don't want
> > > > > > to shut myself out of this remote server.
> > > > > >
> > > > > >
> > > > > >  I had a similar issue after a previous update to ssh when I went to restart
> > > > > > it to get it to use the new binaries.  One of the nice features of sshd is
> > > > > > that your current session will say active even if you kill the sshd daemon
> > > > > > process.  Of course, if you get disconnected then you will not be able to
> > > > > > log back in, so it's good to do what you need to quickly if you do need to
> > > > > > kill (or if it's really stuck, kill -9) the process.  When I had this
> > > > > > problem I issued a `kill -9 PID_NUMBER && /etc/init.d/sshd start` - just be
> > > > > > sure that you're killing the /usr/sbin/sshd process and not one of your sshd
> > > > > > login forks at the same time.
> > > > >
> > > > > OK, I've got to be really careful here.  I see the following processes
> > > > > in 'ps -ef':
> > > > >
> > > > > root      2988     1  0 Sep04 ?        00:00:00 /usr/sbin/sshd
> > > > > root      7573  2988  0 07:28 ?        00:00:00 sshd: root@pts/0
> > > > >
> > > > > Should I:
> > > > >
> > > > > kill -9 2988 && /etc/init.d/sshd start
> > > > >
> > > > > Are you sure?  :)
> > > > >
> > > > > - Grant
> --
> gentoo-user@gentoo.org mailing list
>
>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant wrote:
> Should I:
> kill -9 2988 && /etc/init.d/sshd start
> Are you sure?  :)

Sounds scary to kill sshd remotely, specially over ssh :P

That's why I usually have a telnet server up during ssh upgrade times.


- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG5Yd+AlpOsGhXcE0RCqCvAJ46Spe77Qukj5oYjCAtBK4lO0cZ4QCcCm24
U/zSADTHUKzZZ/G2dkZZkbo=
=5uQv
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Stephen Wittig]

Killing the ssh daemon does not effect any of the existing
connections. The ssh daemon is used to listen for new connections and
create a process to handle communications with that request. That is
why when you update configuration parameters for sshd, they do not
take effect until the next connection.

The problem with connecting to the server via telnet is that your
password can be easily intercepted - which is one of the major reasons
telnet has been depreciated.

-Stephen

On 9/10/07, Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Grant wrote:
> > Should I:
> > kill -9 2988 && /etc/init.d/sshd start
> > Are you sure?  :)
>
> Sounds scary to kill sshd remotely, specially over ssh :P
>
> That's why I usually have a telnet server up during ssh upgrade times.
>
>
> - --
> Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
> Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
> Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG5Yd+AlpOsGhXcE0RCqCvAJ46Spe77Qukj5oYjCAtBK4lO0cZ4QCcCm24
> U/zSADTHUKzZZ/G2dkZZkbo=
> =5uQv
> -----END PGP SIGNATURE-----
> --
> gentoo-user@gentoo.org mailing list
>
>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Stephen Wittig wrote:
> Killing the ssh daemon does not effect any of the existing
> connections. The ssh daemon is used to listen for new connections and
> create a process to handle communications with that request. That is
> why when you update configuration parameters for sshd, they do not
> take effect until the next connection.

In an ideal world, yes. But humans tend to make mistakes. Grant is now locked-out of his system
because of messing around with conditional execution, kill and sshd all in the same command.

> The problem with connecting to the server via telnet is that your
> password can be easily intercepted - which is one of the major reasons
> telnet has been depreciated.

I use it over openvpn ;)

COme on, 13 years of using Linux, I should've learned a couple of tricks already :P

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG5ZixAlpOsGhXcE0RCiyMAJwNTQKn52VKaHS+/uwGkOYQSuqB+gCfcMSn
fhr6kAdDLTDVAF63dLxFgv0=
=GMM7
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Stephen Wittig]

Yes, accessing the machine via telnet over an encrypted VPN connection
is a safe way to access the box, but given the setup that Grant was
describing it did not sound like he had a encrypted VPN setup to
telnet over.

I also agree that having a secondary way of accessing the box, that is
secure, is an important factor when updating a remote server (whether
that be another encrypted connection or people you can contact locally
in the data center). Other people had already suggested starting a
copy of the server manually on the a different port.

For Grant:
I reread the init script for sshd, and I know see what was most likely
the problem. The init script, now, tries to kill all instances with
the process name of sshd, not just the daemon (as specified by the pid
file). This is why you were locked out when trying to restart the
daemon. If you can restart the machine, everything should be working
fine after a reboot. This behavior differs from every other distro of
linux that I have used, and with previous versions of the init script.
Sorry I missed that before emailing the list last time.

Complete Side Note:
Does anyone know where to issue a bug report to try to have this
behavior changed. The correct (and more widely) seen behavior of
restart for sshd should be something similar to:
start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile "${SSHD_PIDFILE}"


On 9/10/07, Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Stephen Wittig wrote:
> > Killing the ssh daemon does not effect any of the existing
> > connections. The ssh daemon is used to listen for new connections and
> > create a process to handle communications with that request. That is
> > why when you update configuration parameters for sshd, they do not
> > take effect until the next connection.
>
> In an ideal world, yes. But humans tend to make mistakes. Grant is now locked-out of his system
> because of messing around with conditional execution, kill and sshd all in the same command.
>
> > The problem with connecting to the server via telnet is that your
> > password can be easily intercepted - which is one of the major reasons
> > telnet has been depreciated.
>
> I use it over openvpn ;)
>
> COme on, 13 years of using Linux, I should've learned a couple of tricks already :P
>
> - --
> Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
> Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
> Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG5ZixAlpOsGhXcE0RCiyMAJwNTQKn52VKaHS+/uwGkOYQSuqB+gCfcMSn
> fhr6kAdDLTDVAF63dLxFgv0=
> =GMM7
> -----END PGP SIGNATURE-----
> --
> gentoo-user@gentoo.org mailing list
>
>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Stephen Wittig wrote:
> I also agree that having a secondary way of accessing the box, that is
> secure, is an important factor when updating a remote server (whether
> that be another encrypted connection or people you can contact locally
> in the data center). Other people had already suggested starting a
> copy of the server manually on the a different port.

Oh, I was just pointing out the fact that if I upgrade sshd, then I try to access the box using a
non-sshd method, just for the sake of redundancy. Even netcat would work, or webmin, or whatever
that is NOT what you are upgrading.

> Complete Side Note:
> Does anyone know where to issue a bug report to try to have this
> behavior changed. The correct (and more widely) seen behavior of

http://bugzilla.gentoo.org I guess.

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG5dOtAlpOsGhXcE0RCshrAJ9Kk7FMN3SkotC+QRmwRGNshz+8RgCfX+Ag
ilHwN7i2G6yQGoh4eJj3Zt4=
=ZRn6
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Stephen Wittig]

> > Complete Side Note:
> > Does anyone know where to issue a bug report to try to have this
> > behavior changed. The correct (and more widely) seen behavior of
>
> http://bugzilla.gentoo.org I guess.

Now, I know why I have never tried to submit a bug report before :)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Grant]

> For Grant:
> I reread the init script for sshd, and I know see what was most likely
> the problem. The init script, now, tries to kill all instances with
> the process name of sshd, not just the daemon (as specified by the pid
> file). This is why you were locked out when trying to restart the
> daemon. If you can restart the machine, everything should be working
> fine after a reboot. This behavior differs from every other distro of
> linux that I have used, and with previous versions of the init script.
> Sorry I missed that before emailing the list last time.

That's alright, I really appreciate your attention.  One thing though.
 Your init script discovery doesn't explain why sshd wouldn't restart
(stop actually) when I was logged in does it?  Given that, do you
still think restarting is the way to go?  I'm just trying to make sure
I don't restart and still not have access.  That would be bad because
there is a crucial daemon running now that won't come up
automatically.

Please tell me what you think.

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Stephen Wittig]

The current init script will not try to restart the daemon if
everything does not exit cleanly. We already know that the main
process won't exit cleanly since it was manually killed.

Unless you are comfortable editing the init script I would suggest:

1) Type:
ps auxww |grep /usr/sbin/sshd |grep -v grep

This will give you the process id of the current sshd daemon. Write it
down for later use.

2) On the following page, do steps 1 and 2 (I know this article is
specifically related to upgrading sshd on redhat, but these steps are
the same for gentoo):

http://www.hackinglinuxexposed.com/articles/20020319.html

This will give you a temporary sshd server, so that we can kill off
all of your old sshd process, while still giving you access to the
machine.

It will also make sure that there are not any configuration problems
with your current sshd_config file that are preventing the daemon from
starting.

If this copy of sshd daemon won't start then we know the problem is a
configuration error or that the binary somehow became corrupted.

3) Kill off the current sshd process from step 1
kill -TERM sshd_pid
  -- or --
kill -KILL sshd_pid

4) Type:
/etc/init.d/sshd zap

DO NOT USE the stop or restart commands - they will kill off your
temporary ssh server from step 2

5) Type:
/etc/init.d/sshd start

6) Try connecting to your server as you normally would. If everything
is working, then your can kill off the ssh daemon running on the
alternate port.

If it still doesn't start then its off two round three problem solving...

-Good Luck, Stephen

On 9/10/07, Grant <emailgrant@gmail.com> wrote:
> > For Grant:
> > I reread the init script for sshd, and I know see what was most likely
> > the problem. The init script, now, tries to kill all instances with
> > the process name of sshd, not just the daemon (as specified by the pid
> > file). This is why you were locked out when trying to restart the
> > daemon. If you can restart the machine, everything should be working
> > fine after a reboot. This behavior differs from every other distro of
> > linux that I have used, and with previous versions of the init script.
> > Sorry I missed that before emailing the list last time.
>
> That's alright, I really appreciate your attention.  One thing though.
>  Your init script discovery doesn't explain why sshd wouldn't restart
> (stop actually) when I was logged in does it?  Given that, do you
> still think restarting is the way to go?  I'm just trying to make sure
> I don't restart and still not have access.  That would be bad because
> there is a crucial daemon running now that won't come up
> automatically.
>
> Please tell me what you think.
>
> - Grant
> --
> gentoo-user@gentoo.org mailing list
>
>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Dan Farrell]

On Mon, 10 Sep 2007 13:39:35 -0500
"Stephen Wittig" <nofx911@gmail.com> wrote:


>> That's why I usually have a telnet server up during ssh upgrade
>> times.

> The problem with connecting to the server via telnet is that your
> password can be easily intercepted - which is one of the major reasons
> telnet has been depreciated.

You can always start a seperate ssh server on a different port, to test
the new server and the config files.  

Then you can get in on a different port and fix it if your upgrade of
the usual ssh server gets borked.  

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Hans-Werner Hilse]

Hi,

On Mon, 10 Sep 2007 14:28:41 -0500
Dan Farrell <dan@spore.ath.cx> wrote:

> You can always start a seperate ssh server on a different port, to test
> the new server and the config files.  
> 
> Then you can get in on a different port and fix it if your upgrade of
> the usual ssh server gets borked.  

And you can always leave one session open. Plus: It's already
configured. Plus: It's pretty secure. Plus: You know exactly whether
the new binary works.

It's as easy as "/usr/sbin/sshd -p 22222". (or whatever free port there is)

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] SSH won't restart

[Mike Williams]

On Saturday 08 September 2007 16:40:34 Grant wrote:
> I just upgraded ssh and when I try to restart I get:
>
> * Stopping sshd ... [ !! ]
>
> I don't see anything about it in '/var/log/sshd/current'.  How can I
> figure out what is wrong?  I'm a little nervous because I don't want
> to shut myself out of this remote server.

This thread went on for a long time, which I mostly ignored TBH.
However, I think I just found a solution.
openssh, in some circumstances (I believe to be openssl changing ABI), will 
not restart as you found. It will only not restart when it's being actively 
used, so you can't do so will logged in.
To restart it when your logged out on a remote server is simply a matter of 
doing this:

# (sleep 15 && /etc/init.d/sshd restart) &

Then getting all ssh sessions logged out within 15 seconds.
I've just done this on a remote system and can now happily log back in, and 
restart ssh without issue.

-- 
Mike Williams
--
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: SSH won't restart

[Alexander Skwar]

· Mike Williams <mike@gaima.co.uk>:

> However, I think I just found a solution.
> openssh, in some circumstances (I believe to be openssl changing ABI), will 
> not restart as you found. It will only not restart when it's being actively 
> used, so you can't do so will logged in.
> To restart it when your logged out on a remote server is simply a matter of 
> doing this:
> 
> # (sleep 15 && /etc/init.d/sshd restart) &

Hm?

I don't find this to be true. I often restart sshd by doing exactly
/etc/init.d/sshd restart. While I'm remote logged in via SSH. I find,
that after having done this, new settings/versions are active.

Alexander Skwar
-- 
Seeing is believing.  You wouldn't have seen it if you hadn't believed it.


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: SSH won't restart

[Mike Williams]

On Sunday 16 September 2007 16:40:45 Alexander Skwar wrote:

> > openssh, in some circumstances (I believe to be openssl changing ABI),
> > will not restart as you found. It will only not restart when it's being
> > actively used, so you can't do so will logged in.


> > I've just done this on a remote system and can now happily log back in, 
> > and restart ssh without issue.   


> Hm?
>
> I don't find this to be true. I often restart sshd by doing exactly
> /etc/init.d/sshd restart. While I'm remote logged in via SSH. I find,
> that after having done this, new settings/versions are active.

Key words "in some circumstances".

-- 
Mike Williams
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Re: SSH won't restart

[Alexander Skwar]

· Mike Williams <mike@gaima.co.uk>:

> On Sunday 16 September 2007 16:40:45 Alexander Skwar wrote:
> 
>> > openssh, in some circumstances (I believe to be openssl changing ABI),
>> > will not restart as you found. It will only not restart when it's being
>> > actively used, so you can't do so will logged in.
> 
> 
>> > I've just done this on a remote system and can now happily log back in, 
>> > and restart ssh without issue.   
> 
> 
>> Hm?
>>
>> I don't find this to be true. I often restart sshd by doing exactly
>> /etc/init.d/sshd restart. While I'm remote logged in via SSH. I find,
>> that after having done this, new settings/versions are active.
> 
> Key words "in some circumstances".

Like?

Actually, I never found this to be true.

Alexander Skwar
-- 
I hate trolls.  Maybe I could metamorph it into something else -- like a
ravenous, two-headed, fire-breathing dragon.
                -- Willow


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: SSH won't restart

[Mike Williams]

On Sunday 16 September 2007 18:01:48 Alexander Skwar wrote:
> > Key words "in some circumstances".
>
> Like?
>
> Actually, I never found this to be true.

Never? Good for you.
Grant, the original poster would disagree (who got himself locked out due to 
the inability to restart sshd BTW), and so would I as it happened to me today 
and has done several times in the past (and also got locked out, but not 
today, well yesterday).

-- 
Mike Williams
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Re: Re: SSH won't restart

[Alexander Skwar]

Mike Williams <mike@gaima.co.uk> wrote:

> On Sunday 16 September 2007 18:01:48 Alexander Skwar wrote:
>> > Key words "in some circumstances".
>>
>> Like?
>>
>> Actually, I never found this to be true.
> 
> Never? Good for you.

Yep.

> Grant, the original poster would disagree (who got himself locked out due
> to the inability to restart sshd BTW), and so would I as it happened to me
> today and has done several times in the past 

Well, I also found myself being unable to start sshd, but
these most often were due to some configuration changes.

Never had I found, that shutting down all the running ssh
sessions would have helped.

Alexander Skwar

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: Re: SSH won't restart

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Alexander Skwar wrote:
> Well, I also found myself being unable to start sshd, but
> these most often were due to some configuration changes.

And exactly for this is why test-restart was proposed by me.

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG7ov8AlpOsGhXcE0RCo76AJ99+twCQ7bUX3o7+nccQeK3zZmAJgCfW1M1
evoO2iPzcCYigA2y3BZoGD0=
=r9AQ
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: Re: SSH won't restart

[Hans-Werner Hilse]

Hi,

On Mon, 17 Sep 2007 11:15:24 -0300 "Arturo 'Buanzo' Busleiman"
<buanzo@buanzo.com.ar> wrote:

> Alexander Skwar wrote:
> > Well, I also found myself being unable to start sshd, but
> > these most often were due to some configuration changes.
> 
> And exactly for this is why test-restart was proposed by me.

I would propose to change the "restart" option (i.e. introduce a
corresponding handler in /etc/init.d/sshd) to actually do checkconfig()
before stopping, not just before starting sshd.

I created a bug for this issue, patch attached:
http://bugs.gentoo.org/show_bug.cgi?id=192825

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: Re: SSH won't restart

[Albert Hopkins]

On Mon, 2007-09-17 at 11:15 -0300, Arturo 'Buanzo' Busleiman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Alexander Skwar wrote:
> > Well, I also found myself being unable to start sshd, but
> > these most often were due to some configuration changes.
> 
> And exactly for this is why test-restart was proposed by me.

There is a "sshd -t".  From the man page:

        -t      Test mode.  Only check the validity of the configuration
        file and sanity of the keys. This is useful for updating sshd
        reliably as configuration options may change.


-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Re: Re: Re: SSH won't restart

[Alexander Skwar]

Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> wrote:
> Alexander Skwar wrote:

>> Well, I also found myself being unable to start sshd, but
>> these most often were due to some configuration changes.
> 
> And exactly for this is why test-restart was proposed by me.

And exactly in these cases, a test-restart won't work, as you'd
need to shutdown the primary sshd first.

Alexander Skwar

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: Re: Re: SSH won't restart

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Alexander Skwar wrote:
> And exactly in these cases, a test-restart won't work, as you'd
> need to shutdown the primary sshd first.

sshd -t doesn't need to have sshd stopped beforehand. And, to make it more clear, the checkconfig()
patch proposed by Hans is a better thought-out, but basicly the same, concept. test-restart is not
exactly what I meant, because it implied a restart, ergo, a previous shutdown requirement as you say.

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG77LSAlpOsGhXcE0RCi21AJ4n4fEZDCq26SD+OIJOlDqbVB+iXQCdEwxX
6iWf/8YeQLIbZkWM4X3QsGo=
=5Hcz
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: SSH won't restart

[Graham Murray]

Mike Williams <mike@gaima.co.uk> writes:

> Key words "in some circumstances".

What circumstances? I too have performed updates on several remote
systems via SSH and run /etc/init.d/sshd restart and never had any
problems. 
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: SSH won't restart

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Graham Murray wrote:
> What circumstances? I too have performed updates on several remote
> systems via SSH and run /etc/init.d/sshd restart and never had any
> problems. 

Something like "/etc/init.d/sshd test-restart" would be nice. It'd allow all of us to stop worrying
about a potential restart/lockout issue.

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG7W8rAlpOsGhXcE0RCjNTAJ9wu2RSUd7sV7aT+wB7SPkK0wu47ACfQ5He
Ac8YzZiCNexnzRQQY5J7Tm0=
=Gsw8
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Re: SSH won't restart

[Alexander Skwar]

· Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>:
> Graham Murray wrote:

>> What circumstances? I too have performed updates on several remote
>> systems via SSH and run /etc/init.d/sshd restart and never had any
>> problems. 
> 
> Something like "/etc/init.d/sshd test-restart" would be nice.

For what?

> It'd allow all of us to stop worrying 
> about a potential restart/lockout issue.

A "/etc/init.d/sshd stop" won't kill any SSH sessions. It'll
simply the sshd "master process". Because of that, additional
logins won't be possible.

Alexander Skwar
-- 
I remember Ulysses well...  Left one day for the post office to mail a letter,
met a blonde named Circe on the streetcar, and didn't come back for 20 years.


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: SSH won't restart

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Alexander Skwar wrote:
> A "/etc/init.d/sshd stop" won't kill any SSH sessions. It'll
> simply the sshd "master process". Because of that, additional
> logins won't be possible.

You seem to believe that most people makes no mistakes. I wouldn't need test-restart (I use the
one-time telnetd-over-vpn), but it seems others might find it useful. Don't like it? Don't use it!
It's all about choices. More than one user here would probably agree that something that will make
him feel less nervous is a good thing.

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG7ZkfAlpOsGhXcE0RCgloAJ0RNPTMUNbr8p5/K4/HJoCnQ3QjRgCfbgXT
bjvhWIXOueInwnJK4Pme9OM=
=HOzS
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Re: Re: SSH won't restart

[Alexander Skwar]

· Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Alexander Skwar wrote:
>> A "/etc/init.d/sshd stop" won't kill any SSH sessions. It'll
>> simply the sshd "master process". Because of that, additional
>> logins won't be possible.
> 
> You seem to believe that most people makes no mistakes.

No, I don't.

> I wouldn't need test-restart (I use the 
> one-time telnetd-over-vpn), but it seems others might find it useful.

For what? What should it safeguard against? You can't just start
a 2nd instance of sshd while the 1st is still running, as they
(usually) should then bind to the same port. That won't work, obviously.

Alexander Skwar
-- 
Whenever I hear anyone arguing for slavery, I feel a strong impulse to
see it tried on him personally.
                -- Abraham Lincoln


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: Re: SSH won't restart

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Alexander Skwar wrote:
> For what? What should it safeguard against? You can't just start
> a 2nd instance of sshd while the 1st is still running, as they
> (usually) should then bind to the same port. That won't work, obviously.

Ok, ok, you win.

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG7aY+AlpOsGhXcE0RCodyAJ48G9e/joDbmI6eERj+8GleoNtGfQCeKXVM
rCLVs4P1C64OcgSxYPueGF0=
=/wFw
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: SSH won't restart

[Hans-Werner Hilse]

Hi,

On Sun, 16 Sep 2007 22:25:07 +0200 Alexander Skwar
<listen@alexander.skwar.name> wrote:

> A "/etc/init.d/sshd stop" won't kill any SSH sessions. It'll
> simply the sshd "master process". Because of that, additional
> logins won't be possible.

An /etc/init.d/sshd stop/restart can very well fail. Depending on in
what state this happens, it might stop accepting connections. Typical
conditions might be that relevant changes on-disk occurred, e.g. PAM
libraries, libc or similar libs that might dl() things.

OTOH, if signal handling is broken, the KILL might traverse to the
connection handling forked child. And that's enough to kick you out.

So I would definately prefer to always have a guaranteed working sshd
running (I find OpenVPN/telnet a bit strange and an unnecessary
potential security hole).

Your absolutely right in that restarting immediately or delayed after
logging out of all sessions doesn't matter at all. But it's wrong that
it *can't* occur that you kill your current session as well. So the
delay doesn't make any specific sense here. It might reduce the risk of
a zombie master process of sshd, but I don't see much evidence. OTOH,
you lose the possibility of fixing restart problems within the running
session. So you have to weight the risks. The real problem, however,
can only be overcome by another way to login. Firing up another
instance of sshd (on a different port) is just a matter of one simple
command, so I definately prefer that.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: SSH won't restart

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hans-Werner Hilse wrote:
> Hi,

Hi!

> So I would definately prefer to always have a guaranteed working sshd
> running (I find OpenVPN/telnet a bit strange and an unnecessary
> potential security hole).

If running permanently, then I agree, but I do not see the potential security hole if using a
correctly designed/configured tunnel.

> session. So you have to weight the risks. The real problem, however,
> can only be overcome by another way to login. Firing up another
> instance of sshd (on a different port) is just a matter of one simple
> command, so I definately prefer that.

As long as there is no issue with the sshd binary, of course :)

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG7qOfAlpOsGhXcE0RCnGRAJ9fQIcJWbai4w/Daq81DPL1iEgaEgCfWkGg
Apixlnkoih+SMOPShj6SpVA=
=sBTB
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: SSH won't restart

[Hans-Werner Hilse]

Hi,

On Mon, 17 Sep 2007 12:56:16 -0300 "Arturo 'Buanzo' Busleiman"
<buanzo@buanzo.com.ar> wrote:

> > So I would definately prefer to always have a guaranteed working
> > sshd running (I find OpenVPN/telnet a bit strange and an unnecessary
> > potential security hole).
> 
> If running permanently, then I agree, but I do not see the potential
> security hole if using a correctly designed/configured tunnel.

I just prefer manual "opening" of access means above manual "securing"
them. It's just about what happens if you fail -- when the task was
securing, you might have a security leak, but if it was openiung
access, it is still secured. It's relatively moot, since opening access
is also often error prone in the sense of "opening to much". I think
it's personal taste :-)

> > session. So you have to weight the risks. The real problem, however,
> > can only be overcome by another way to login. Firing up another
> > instance of sshd (on a different port) is just a matter of one
> > simple command, so I definately prefer that.
> 
> As long as there is no issue with the sshd binary, of course :)

Yeah, but in that case you'd know it at that point, and it caused no
other harm than preventing you to setting up that fallback sshd. You
can then still fix it (or set up OpenVPN/telnet ;-)) using the old sshd
that's still listening. Just remember not to do a "killall sshd".

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Re: SSH won't restart

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hans-Werner Hilse wrote:
> I just prefer manual "opening" of access means above manual "securing"
> them. It's just about what happens if you fail -- when the task was
> securing, you might have a security leak, but if it was openiung
> access, it is still secured. It's relatively moot, since opening access
> is also often error prone in the sense of "opening to much". I think
> it's personal taste :-)

All can go wrong, always. First security motto. That's why a completely parallel, special-time-only
mechanism appeals me (and, of course, taste here is important, too!)

> Yeah, but in that case you'd know it at that point, and it caused no
> other harm than preventing you to setting up that fallback sshd. You
> can then still fix it (or set up OpenVPN/telnet ;-)) using the old sshd
> that's still listening. Just remember not to do a "killall sshd".

Yes, of course, I fully agree. I just think that providing a couple more ideas (alternatives, if you
wish, for different personal tastes! :) is good.

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG7rLEAlpOsGhXcE0RCk0vAJ0X09AifEvbQLpDX6fa9Rudo12AKwCeIhXe
2M3f/HNi7F1DVvjtGeOURTE=
=f2cd
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list