Martin Wilck wrote:
Hmm - I need to administer a remote machine hosted at a server farm. By no means can I afford to lock myself out of that system by upgrading ssh, as several people have reported on this list. Nor can I use host-based access control reasonably, because I login from a large dialin provider with changing IP address & hostname.
I am very certain I am not alone with this problem. Do you have any advice how to proceed ?
VPN, setup something like vtun (easy but maybe not sooooo secure) or ipsec (not so easy, but littlebit more secure) and disable access to sshd via eth0 or whatever your internet device is and make it only accessable via the VPN device/IP's. Thats IMHO the best solution without fscking up your maschine etc. ;)
Being able to install the new version in parallel to the old one and only disable the old one when the new one proves to work would be a nice option.
thats 'possible'. You can open some shells, restart the sshd after the update, try to make a new login and if it fails, replace the new sshd conf with the old rpm. Or make a copy of the old bin and start it via comandline on another port. HTH Sven btw: today i locked my self out ;) typo in an ip ...