RPM-Update on all boxes in a LAN
Hi, after reading the last security-announcement I ask myself if there is a tool to update the new rpm automatically to all the boxes in my LAN. What I want to do is the following: I recieve the security-announcement: I decide to install or not and download the rpm. I start a script, which will install the rpm to the boxes of my choice. I don't want to login on every box, install the rpm and go to the next box. I hoped alice would do things like that, but I think alice is only a tool for new installation (and you have to make a floopy-disk or a CD). And I think, some month ago, I have read about a scripting-language for system administrators, but I don't remember where. Anybody, who can help me.
And I think, some month ago, I have read about a scripting-language for system administrators, but I don't remember where. Anybody, who can help me.
The scripting language is the shell. I do it this way: for i in host1 host2 host3 ...; do scp update.rpm root@$i:. ssh root@$i rpm -Uhv update.rpm ssh root@$i rm -f update.rpm done Talking ssh: There will be a reissued announcement in the evening. Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
Better yet use PiKT. http://pikt.uchicago.edu/pikt/ Or autorpm or whatever. http://securityportal.com/lskb/10000050/kben10000077.html Kurt Seifried
Roman Drahtmueller wrote:
Talking ssh: There will be a reissued announcement in the evening.
Is this announcement still coming? ;-) After updating to openssh-2.3.0p1-0 I'm unable to (s)login to the computer with the updated package. I'm getting this error message: ssh_exchange_identification: Connection closed by remote host What does this mean? Do I have to generate a new key with ssh-keygen? Many thanks, richard -- Richard Ems ... e-mail: r.ems@gmx.net ... Fachbereich Informatik, Universität Hamburg Unix IS user friendly. It's just selective about who its friends are.
Talking ssh: There will be a reissued announcement in the evening.
Is this announcement still coming? ;-)
Yesss. It took a little longer, but the packages are about to be built right now. Some changes were added: The missing rcsshd link, and the killing of the daemon upon deinstallation of the package was removed.
After updating to openssh-2.3.0p1-0 I'm unable to (s)login to the computer with the updated package. I'm getting this error message: ssh_exchange_identification: Connection closed by remote host
Could you please have a look at your syslogs on the remote side? It seems that the tcp-wrappers strike again. The old version in 7.0 wasn't compiled against the libwrap.a, which was part of the reason to release an update.
What does this mean? Do I have to generate a new key with ssh-keygen?
Shouldn't, no.
Many thanks, richard
We've seen a case where the daemon couldn't be restarted with the command `/sbin/init.d/sshd restart´, but it wasn't reproduceable. Did anybody else see this? Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
Roman Drahtmueller:
We've seen a case where the daemon couldn't be restarted with the command `/sbin/init.d/sshd restart´, but it wasn't reproduceable. Did anybody else see this?
Thanks, Roman.
That happened to me one time when I was logged in via ssh, but this was obviously my fault. Peter
I found another issue with openssh and SuSE 6.3 ... after updating (removing ssh and installing openssh) I got complaints in /var/log/messages because of a missing pam_pwcheck.so. Removing pam_pwcheck.so in /etc/pam.d/sshd solved the problem. This happened to me on 3 SuSE 6.3 Servers, don't know about other versions. bye Markus -- _____________________________ Markus Gaugusch ICQ 11374583 markus@gaugusch.dhs.org 63
On Wed, 29 Nov 2000, Roman Drahtmueller wrote:
We've seen a case where the daemon couldn't be restarted with the command `/sbin/init.d/sshd restart�, but it wasn't reproduceable. Did anybody else see this?
Yes, I got this. On a system with lots of users I had to kill all the old sshd processes by hand before a new sshd would start. On a different system with noone else logged in the restart worked OK. Bob ============================================================== Bob Vickers R.Vickers@dcs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Roman Drahtmueller wrote:
After updating to openssh-2.3.0p1-0 I'm unable to (s)login to the computer with the updated package. I'm getting this error message: ssh_exchange_identification: Connection closed by remote host
Could you please have a look at your syslogs on the remote side? It seems that the tcp-wrappers strike again. The old version in 7.0 wasn't compiled against the libwrap.a, which was part of the reason to release an update.
There's nothing in my syslogs on the server (/var/log/messages). Only sshd refusing the connection. Both hosts have SuSE 7.0 installed, the client running openssh-2.1.1p1-19 the server running openssh-2.3.0p1-0. On the server I also started harden_suse YES, so the ssh[d]_config files were changed. Then I configured it for my needs the same way it was before the update, allowing root login and setting listenaddress to the internal ethernet card. But it still doesn't work. ems@bingo:/home/ems # slogin -v 192.168.100.100 -l root SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 555 geteuid 0 anon 0 debug: Connecting to 192.168.100.100 [192.168.100.100] port 22. debug: Seeding random number generator debug: Allocated local port 776. debug: Connection established. ssh_exchange_identification: Connection closed by remote host debug: Calling cleanup 0x805d200(0x0) thanks, richard -- Richard Ems ... e-mail: r.ems@gmx.net ... Fachbereich Informatik, Universität Hamburg Unix IS user friendly. It's just selective about who its friends are.
On Mit, 29 Nov 2000, Richard Ems wrote:
On the server I also started harden_suse YES, so the ssh[d]_config files were changed.
I have done this and there was a change in hosts.allow/deny which killed ALL logins. openssh uses tcp_wrapper!!! You HAVE to specify allow for ssh protocal in /etc/hosts.allow Then it worked for me. -- ciao norb +-------------------------------------------------------------------+ | Norbert Preining http://www.logic.at/people/preining | | University of Technology Vienna, Austria preining@logic.at | | DSA: 0x09C5B094 (RSA: 0xCF1FA165) mail subject: get [DSA|RSA]-key | +-------------------------------------------------------------------+
On Wed, 29 Nov 2000 15:24:20 +0100, you wrote:
On Mit, 29 Nov 2000, Richard Ems wrote:
On the server I also started harden_suse YES, so the ssh[d]_config files were changed.
I have done this and there was a change in hosts.allow/deny which killed ALL logins. openssh uses tcp_wrapper!!! You HAVE to specify allow for ssh protocal in /etc/hosts.allow
Then it worked for me.
Yeap. Not only the programs using inetd can use tcpd. Standalone progs can be compiled against libwrap so they automatically use tcpd. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Norbert Preining wrote:
On Mit, 29 Nov 2000, Richard Ems wrote:
On the server I also started harden_suse YES, so the ssh[d]_config files were changed.
I have done this and there was a change in hosts.allow/deny which killed ALL logins. openssh uses tcp_wrapper!!! You HAVE to specify allow for ssh protocal in /etc/hosts.allow
Then it worked for me.
Thanks! That was it! This should also be on the email that is send after updating openssh! Thanks again, richard -- Richard Ems ... e-mail: r.ems@gmx.net ... Fachbereich Informatik, Universität Hamburg Unix IS user friendly. It's just selective about who its friends are.
Thanks! That was it!
This should also be on the email that is send after updating openssh!
It's a bug that libwrap support didn't work in the initial 7.0 release. It used to be like this for years now.
Thanks again, richard
Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
Roman Drahtmueller wrote:
Talking ssh: There will be a reissued announcement in the evening.
Is this announcement still coming? ;-) After updating to openssh-2.3.0p1-0 I'm unable to (s)login to the computer with the updated package. I'm getting this error message: ssh_exchange_identification: Connection closed by remote host What does this mean? Do I have to generate a new key with ssh-keygen? Many thanks, richard -- Richard Ems ... e-mail: r.ems@gmx.net ... Fachbereich Informatik, Universität Hamburg Unix IS user friendly. It's just selective about who its friends are.
Hi Richard! Richard Ems wrote:
After updating to openssh-2.3.0p1-0 I'm unable to (s)login to the computer with the updated package. I'm getting this error message: ssh_exchange_identification: Connection closed by remote host
What does this mean? Do I have to generate a new key with ssh-keygen?
Usually (i.e. whenever I got this message), this means that your connection-attemp was refused by the server. Check your /etc/hosts.allow, /etc/hosts.deny and /etc/ssh/sshd_config. Checking out /var/log/messages (on the server) might be helpful, too. Regards, Florian PS: Does anyone know why these error-messages have to be that cryptic??
after reading the last security-announcement I ask myself if there is a tool to update the new rpm automatically to all the boxes in my LAN. Well I use autorpm but it runs on all of my machines so what I do is login and do autorpm --apply and then select the ones I want to install. I then relax and let it do the rest. Noah
Just a warning in case anyone else gets burned: the new openssh has a change which impacts end-users. X11 forwarding no longer happens unless you specifically request it, either by using ssh -X or by editing ~/.ssh/config or /etc/ssh/ssh_config. Bob ============================================================== Bob Vickers R.Vickers@dcs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
participants (12)
-
Bob Vickers -
Florian Kirchmeir -
gtschakert@gmx.de -
Kurt Seifried -
Markus Gaugusch -
Norbert Preining -
Peter Wiersig -
Richard Ems -
Richard Ems -
Roman Drahtmueller -
RoMaN SoFt / LLFB!! -
semat