Martin Wilck wrote:

> Hmm - I need to administer a remote machine hosted at a server farm.
> By no means can I afford to lock myself out of that system by upgrading
> ssh, as several people have reported on this list. Nor can I use
> host-based access control reasonably, because I login from a large
> dialin provider with changing IP address & hostname.
>
> I am very certain I am not alone with this problem.
> Do you have any advice how to proceed ?

VPN, setup something like vtun (easy but maybe not sooooo secure) or
ipsec (not so easy, but littlebit more secure) and disable access to
sshd via eth0 or whatever your internet device is and make it only
accessable via the VPN device/IP's. Thats IMHO the best solution without
fscking up your maschine etc. ;)

> Being able to install the new version in parallel to the old one and
> only disable the old one when the new one proves to work would be a nice
> option.

thats 'possible'. You can open some shells, restart the sshd after
the update, try to make a new login and if it fails, replace the new
sshd conf with the old rpm. Or make a copy of the old bin and start
it via comandline on another port.

HTH
Sven

btw: today i locked my self out ;) typo in an ip ...

-- 
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]