Re: Removing SSH's welcome message (before login)
On Thu, Feb 18, 2010 at 05:00:48PM +, Nuno Magalhães wrote: IT'S A REMOTE MACHINE, i would've restarted ssh already, don't you think? I made it very clear that restarting the sshd daemon does not break existing ssh client connections. Try to behave civilly towards people spending their time trying to help you. -- Jon Dowland signature.asc Description: Digital signature
Re: Removing SSH's welcome message (before login)
On Sat, Feb 20, 2010 at 03:36:20PM +, Nuno Magalhães wrote: Come to think of it i don't know why i would also copy the init script, 'cos that evidently screwed any attempt at a clean reboot. Yes copying it is not good enough, you will also need to make edits to it to make sure that it uses a different daemon name, different PID file location, and to make sure that the ssh2 binary referenced the sshd_config2 file you created earlier (it won't just figure that out by itself!) You would also need to make sure the relevant runlevel scripts were in place (or if you are using upstart or similar, configure that appropriately) This is a lot of unnecessary work to make a cosmetic change to the SSH banner. Fortunately my host's reachable by phone, we scheduled a reboot. Didn't work, i wasn't even getting error messages again, just connection refused[1], on both ports, by the new version. They opened console through vnc, i ran some updates, upgrades, purges and what not and it's back working again, with the old version. So, essentially, in your attempts to avoid a potential service disruption by restarting the running sshd daemon, due to a fear you would lock yourself out, despite several people pointing out that it doesn't break client connections so you could back out your single change and re-restart the daemon, for a change you want to make which is merely cosmetic and essentially a waste of time, you managed to break your ssh init scripts, force at least one reboot and lose your access to the box. Seriously: ***restarting the sshd listening daemon does not stop your existing ssh client sessions!*** For such a small change, with such a low likelyhood of going wrong, you can just make it, restart the daemon, confirm the daemon is still listening, and you're done. And if it wasn't listening, back out your single, small, change, restart the daemon again, and you're back where you started. -- Jon Dowland signature.asc Description: Digital signature
Re: Removing SSH's welcome message (before login)
Greetings, I made it very clear that restarting the sshd daemon does not break existing ssh client connections. Try to behave civilly towards people spending their time trying to help you. Had you read two of my previous messages instead of skimming through them, you would've known already it was a remote server. I was past the lock-out by the time you replied. Had *i* read your message carefully instead of skimming through it (i.e. yanking hair when it read restart your remote sshd) i would've already known Restarting Sshd Won't Break Client Connections, instead of coming to that - rather obvious, yes - conclusion later. So maybe we both oughta read mail more carefully :) As stated, i did think of telling the second binary to use a second config, but stopped short of everything else that you (correctly and quite logically) pointed out: init sript, pid file, etc. My first plan was to use a cron job (as it seems more common) but how would scheduling the start of a binary that was being upgraded prevent problems? Anyway, this is academic since next time i'll know RSWBCC™ ;) As for the cosmetic change, well, it's a matter of opinion i guess. I dislike the fact sshd (of httpd or *d) announce themselves to the world like that unless strictly necessary. I'm all for open source software (duh), but i think it should keep its mouth obscurely shut when serving. (This would probably spawn a religious debate so let's leave it at that.) Thanks for your contributions, Jon, and i hope there's no hard feelings if (er, when) i sounded harsh. Regards, Nuno -- () ascii-rubanda kampajno - kontraŭ html-a retpoŝto /\ ascii ribbon campaign - against html e-mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6b1504c4100202w24926398ndc1e6883e8e02...@mail.gmail.com
Re: Removing SSH's welcome message (before login)
Hi Ok, i was told sshd will keep sessions alive during an upgrade, which would make sense since they're in memory and i'm upgrading the binary on disk. Still, after many aptitude upgrades where the ncurses popup tells me the following services need to be restarted, that didn't come to mind at the time. So the idea was to run two different binaries on two different ports with two different config files (just changing the port (yes i opened the ports in the fw)). This is a minimal remote server running lenny. Here's a step-by-step of what i've done, maybe someone can shed some light on where i went wrong: 1. cp /usr/sbin/sshd /usr/sbin/sshd2 2. cp /etc/ssh/sshd_config /etc/ssh/sshd_config2 Change the port in 2. 3. open the new port in the fw and restart it 4. cp /etc/init.d/ssh /etc/init.d/ssh2 Come to think of it i don't know why i would also copy the init script, 'cos that evidently screwed any attempt at a clean reboot. 5. /usr/sbin/sshd2 -f /etc/ssh/sshd_config2 6. test both connections 7. wget ...debian.org...openssh-server_5.3p1-1_i386.deb 8. dpkg -i openssh-server_5.3p1-1_i386.deb Which produced this: dpkg: dependency problems prevent configuration of openssh-server: openssh-server depends on libc6 (= 2.8); however: Version of libc6 on system is 2.7-18. openssh-server depends on libgssapi-krb5-2 (= 1.7dfsg~beta1); however: Package libgssapi-krb5-2 is not installed. openssh-server depends on libk5crypto3 (= 1.6.dfsg.2); however: Package libk5crypto3 is not installed. openssh-server depends on libkrb5-3 (= 1.6.dfsg.2); however: Package libkrb5-3 is not installed. openssh-server depends on libssl0.9.8 (= 0.9.8k-1); however: Version of libssl0.9.8 on system is 0.9.8g-15+lenny5. openssh-server depends on openssh-client (= 1:5.3p1-1); however: Version of openssh-client on system is 1:5.1p1-5. dpkg: error processing openssh-server (--install): dependency problems - leaving unconfigured I assumed dpkg didn't actually do anything, but i guess it must've done something. When i came home i couldn't log in again. Fortunately my host's reachable by phone, we scheduled a reboot. Didn't work, i wasn't even getting error messages again, just connection refused[1], on both ports, by the new version. They opened console through vnc, i ran some updates, upgrades, purges and what not and it's back working again, with the old version. And it still shows its damn string. Btw why does openssh-server depends on openssh-client? Anyway thanks for the tips. [1] http://pastebin.com/m35b138b9 -- () ascii-rubanda kampajno - kontraŭ html-a retpoŝto /\ ascii ribbon campaign - against html e-mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6b1504c41002200736o7f4d031ct93f4d607da80c...@mail.gmail.com
Re: Removing SSH's welcome message (before login)
On Sat, Feb 20, 2010 at 03:36:20PM +, Nuno Magalhães wrote: Hi Ok, i was told sshd will keep sessions alive during an upgrade, which would make sense since they're in memory and i'm upgrading the binary on disk. Still, after many aptitude upgrades where the ncurses popup tells me the following services need to be restarted, that didn't come to mind at the time. So the idea was to run two different binaries on two different ports with two different config files (just changing the port (yes i opened the ports in the fw)). This is a minimal remote server running lenny. Here's a step-by-step of what i've done, maybe someone can shed some light on where i went wrong: 1. cp /usr/sbin/sshd /usr/sbin/sshd2 2. cp /etc/ssh/sshd_config /etc/ssh/sshd_config2 Change the port in 2. 3. open the new port in the fw and restart it 4. cp /etc/init.d/ssh /etc/init.d/ssh2 Come to think of it i don't know why i would also copy the init script, 'cos that evidently screwed any attempt at a clean reboot. 5. /usr/sbin/sshd2 -f /etc/ssh/sshd_config2 6. test both connections 7. wget ...debian.org...openssh-server_5.3p1-1_i386.deb 8. dpkg -i openssh-server_5.3p1-1_i386.deb Which produced this: snip I missed the beginning of this thread... I just tested a couple of my machines, and I can stop the ssh daemon while logged in via ssh. My session persists, and I can restart the daemon later from that same session. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100220231951.gc5...@aurora.owens.net
Re: Removing SSH's welcome message (before login)
Ok, after running ssh with -vvv [1] and renaming my ~/.ssh [2] i came to fear dpkg may have done something to the current installation, even though it stopped 'cos it had missing dependencies. I had 5.1p1, not 5.3p1 as i'm getting from both ports... Which probably means the reboot i asked for tonight just might not solve anything. Any thoughts? Thanks, Nuno [1] http://pastebin.com/m61f505c5 [2] http://pastebin.com/m5c4564a0 -- () ascii-rubanda kampajno - kontraŭ html-a retpoŝto /\ ascii ribbon campaign - against html e-mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6b1504c41002190008i38bcf2e1h3e0d027b6c8e3...@mail.gmail.com
Re: Removing SSH's welcome message (before login)
Hello! 2010/2/17 Nuno Magalhães nunomagalh...@eu.ipp.pt: If i telnet (or use a browser!) to my sshd, i get this string: SSH-2.0-OpenSSH_5.1p1 Debian-5 even before i login. My /etc/motd is empty and i've also tried adding a Banner /etc/ssh/banner line to /etc/ssh/sshd_config (nd creating the according empty file), and HUPing sshd. I still get this line. I'm sure this is something obvious but i can't seem to pin it down; short of messing with the code is there a way to remove this message? Put this line into your sshd_config: VersionAddendum AnyString-19540331 You have to restart sshd or reboot your computer and not kill -HUP your sshd. After that you should see SSH-2.0-OpenSSH_5.1p1 AnyString-19540331. Bye, a -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/9cbf3f071002180448l41a92b3aqb349069c5fbb6...@mail.gmail.com
Re: Removing SSH's welcome message (before login)
2010/2/18 Artifex Maximus artife...@gmail.com: Put this line into your sshd_config: VersionAddendum AnyString-19540331 It's a remote machine and i want no string whatsoever, hence the attempted upgrade. - - () ascii-rubanda kampajno - kontraŭ html-a retpoŝto /\ ascii ribbon campaign - against html e-mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6b1504c41002180820o1be76fbeyf15bf04edfb44...@mail.gmail.com
Re: Removing SSH's welcome message (before login)
On Thu, Feb 18, 2010 at 04:20:36PM +, Nuno Magalhães wrote: 2010/2/18 Artifex Maximus artife...@gmail.com: Put this line into your sshd_config: VersionAddendum AnyString-19540331 It's a remote machine and i want no string whatsoever, hence the attempted upgrade. Try VersionAddendum then. restarting the sshd daemon does not close your existing ssh connections. do it, (invoke-rc.d ssh restart) make sure the daemon accepts new connections (ssh from another terminal window), and if you can't login, back out the change, restart sshd again and confirm you can login. It's always worth having a different channel to a machine if ssh fails, such as a remote server management system with a built-in local terminal (HP ones give you a java applet which emulates a local keyboard and VGA monitor), or a serial console connection to a serial multiplexer tool, or a route to the 'console' for a virtual machine (many VPS providers will offer this) -- Jon Dowland signature.asc Description: Digital signature
Re: Removing SSH's welcome message (before login)
On Thu, Feb 18, 2010 at 16:49, Jon Dowland j...@debian.org wrote: On Thu, Feb 18, 2010 at 04:20:36PM +, Nuno Magalhães wrote: 2010/2/18 Artifex Maximus artife...@gmail.com: Put this line into your sshd_config: VersionAddendum AnyString-19540331 It's a remote machine and i want no string whatsoever, hence the attempted upgrade. Try VersionAddendum then. restarting the sshd daemon does not close your existing ssh IT'S A REMOTE MACHINE, i would've restarted ssh already, don't you think? I'm trying to avoind rebooting, but it seems like the only choice. And i have two channels, only of the same kind. Maybe i should've thown a cron job at it too but it's too late for What ifs. -- () ascii-rubanda kampajno - kontraŭ html-a retpoŝto /\ ascii ribbon campaign - against html e-mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6b1504c41002180900n15722573u6fa23b89f042e...@mail.gmail.com
Removing SSH's welcome message (before login)
Hi, If i telnet (or use a browser!) to my sshd, i get this string: SSH-2.0-OpenSSH_5.1p1 Debian-5 even before i login. My /etc/motd is empty and i've also tried adding a Banner /etc/ssh/banner line to /etc/ssh/sshd_config (nd creating the according empty file), and HUPing sshd. I still get this line. I'm sure this is something obvious but i can't seem to pin it down; short of messing with the code is there a way to remove this message? TIA, Nuno -- () ascii-rubanda kampajno - kontraŭ html-a retpoŝto /\ ascii ribbon campaign - against html e-mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6b1504c41002170918q261821caue6a347a50d220...@mail.gmail.com
Re: Removing SSH's welcome message (before login)
On 2010-02-17 18:18 +0100, Nuno Magalhães wrote: If i telnet (or use a browser!) to my sshd, i get this string: SSH-2.0-OpenSSH_5.1p1 Debian-5 even before i login. My /etc/motd is empty and i've also tried adding a Banner /etc/ssh/banner line to /etc/ssh/sshd_config (nd creating the according empty file), and HUPing sshd. I still get this line. I'm sure this is something obvious but i can't seem to pin it down; short of messing with the code is there a way to remove this message? No. The code is in the sshd_exchange_identification() function in sshd.c, if you're interested. Newer versions of openssh-server (starting with 1:5.2p1-2) have a DebianBanner option that allows you to remove the Debian revision from this string. Sven -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87zl37pwz2@turtle.gmx.de
Re: Removing SSH's welcome message (before login)
And then he borked it... 2010/2/17 Sven Joachim svenj...@gmx.de: No. The code is in the sshd_exchange_identification() function in sshd.c, if you're interested. Newer versions of openssh-server (starting with 1:5.2p1-2) have a DebianBanner option that allows you to remove the Debian revision from this string. I tried upgrading by running a copy of sshd on another port, since it's a remote server. The openssh package from unstable required dependencies so i didn't go through with the installation, leaving two instances of the server running on two ports with two sshd_config files (only the port differs). Both ports are open at the firewall and things seemed to be ok at work where i logged in from. When i came back home to fix the dependencies i got this nifty message on both ports: ssh_exchange_identification: Connection closed by remote host The solutions on the net don't seem to apply, as: - I doubt it's too many connections as i'm the only one connecting to the server, but i'll wait it out and see if they timeout. I must've logged off 2h ago already though. - I tried ssh-ing from another machine on another network but i get the same message. - I haven't touched the .allow/.deny files so i doubt that's it, unless the new package (i used dpkg -i) overwrote them. Since it had unmet dependencies, i assumed it did nothing. At least i'm not getting the OpenSSH version string anymore :) Any suggestions? TIA, Nuno -- () ascii-rubanda kampajno - kontraŭ html-a retpoŝto /\ ascii ribbon campaign - against html e-mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6b1504c41002172010m52e9a246x6a1c9fa8701fb...@mail.gmail.com
