Upgrading OpenSSH

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
How would you go about upgrading OpenSSH on over 400 servers? So far, we
did that with an install script I wrote one by one. But now, all servers
have the same version of OpenSSH and I thought there might be an easier
way to deploy the binaries.

Re: Upgrading OpenSSH

Vahid wrote:
Quoted text here. Click to load it

"400 servers" is a broad project. What underlying OS? All the Linux
distributions have some sort of package management via which you can include
both the software itself and some post-installation scripting. So does
Windows, Solaris, MacOS, etc.  Some of those package management tools have a
"check for updates" system you can use for exactly this sort of situation.

Re: Upgrading OpenSSH

Quoted text here. Click to load it

That depends on what infrastructure you have available.  OpenSSH ships
with the capability of building several types of native packages (RPM,
Solaris/SysV pkg and AIX bff/lpp).  Back when I was looking after large
numbers of hosts I used to build, test and package OpenSSH releases in
the platform's native package format, then deploy those.

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Upgrading OpenSSH

Darren Tucker wrote:
Quoted text here. Click to load it
We are mostly Sun Solaris shop with some HP's AIX and of course Linux.
My concern is only Solaris because as I mentioned, there are over 400
servers and about that much workstations.
I did see the pkg creator for Solaris (very nice) but that requires
one-by-one installation. I have a script that pushes *any* file or
directory to a destination host, that is how we push conf files,
utilities, etc...
My question is, what would happen if I just push the individual binaries
(new version) onto the old binaries? I know HP-UX does not allow that
but Solaris does not mind, but I am not sure what will happen to the
running (in memory) sshd? Of course I have to restart the daemon.
My push script works based on ssh, so if ssh dies, I die too....

Re: Upgrading OpenSSH

    Vahid> files, utilities, etc...  My question is, what would happen if
    Vahid> I just push the individual binaries (new version) onto the old
    Vahid> binaries?

Nothing good -- in some flavors of Unix, this would simply fail; you'd get
"text file busy."  At the very least, you should unlink the existing
executable and copy the new one into place, which will allow existing
processes to continue running (assuming they're not bollixed by side
effects of your replacing other files it depends on while running).

  Richard Silverman

Re: Upgrading OpenSSH

Richard E. Silverman wrote:
Quoted text here. Click to load it

It works very well with OpenSSH under RedHat Linux doing an RPM
installation.. If you're installing it over an SSH connection you have to be
careful about restarting your sshd, by killing off the master sshd and not
the forked off sshd that you are currently connecting over: the
/etc/rc.d/init.d/sshd init scrpt used by RedHat Linux does this quite well.
Alternately, you can run sshd via inetd and have each process started by
inetd monitoring port 22, but that tends to have a high start-up cost for
each session: it's usually better to have a daemon always running on port 22
and rely on correctly written startup and shutdown scripts to restart the

Re: Upgrading OpenSSH

Quoted text here. Click to load it

If you do the push with the daemon running, you will replace pages on
disk that are linked to the running process.  The daemon will probably
segfault and die.  

If you could only 'mv' the old binary aside before putting the new one
on, then you're fine.  Kill and restart the daemon later.

Ditto with any shared libraries.

Note that if you've previously done a package installation, the pkg
database will now be out of date, as you've deinstalled the version, but
the pkg database wasn't told....

Darren Dunham                                           ddunham@taos.com
Senior Technical Consultant         TAOS            http://www.taos.com /
Got some Dr Pepper?                           San Francisco, CA bay area
         < This line left intentionally blank to confuse you. >

Re: Upgrading OpenSSH

Darren Dunham wrote:
Quoted text here. Click to load it

Note: the "install" command does exactly this, which is partly why so many
packages use "install" instead of "cp" when transferring files. So does
rsync, which is also useful this way.

Site Timeline