AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:
CFG:
PT:0
S:andy.sharp@lsi.com
RQ:
SSV:mhbs.lsil.com
NSV:
SSH:
R:<Larry.Scheer@lsi.com>
MAID:2
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/LSI/INBOX	0	DEC609CD0E54B2448DAF023C89AE9755E9275AA4@cosmail02.lsi.com
X-Sylpheed-End-Special-Headers: 1
Date: Wed, 18 Nov 2009 19:18:08 -0800
From: Andrew Sharp <andy.sharp@lsi.com>
To: "Scheer, Larry" <Larry.Scheer@lsi.com>
Subject: Re: Please review change 33862 for defect 27544 ssh keys problem
Message-ID: <20091118191808.46b43211@ripper.onstor.net>
In-Reply-To: <DEC609CD0E54B2448DAF023C89AE9755E9275AA4@cosmail02.lsi.com>
References: <DEC609CD0E54B2448DAF023C89AE9755E9275AA4@cosmail02.lsi.com>
Organization: LSI
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed, 18 Nov 2009 19:51:11 -0700 "Scheer, Larry"
<Larry.Scheer@lsi.com> wrote:

> Hi Andy,
>     These changes are on linux-compile
> in /home/larrys/perforce/trees/dev/nfx-tree workspace.
> 
> Sorry about that. My mightydog workspace has the tuxstor merge going
> on in it and I didn't want to use that p4 client for these changes
> (for my own sanity.)

You can have as many clients as you want reside on mightydog, it's
really just a directory, in the end.

> Let me know if you need anything. I still need to test this change on
> a live system but I wanted to get a jump on the review process.

Just mount it to ripper, if you don't mind.  That's what you've done
in the past, right?  I figured you would just leave it mounted, unless
this is a different place or something.

> Larry
> 
> Change 33862 by larrys@larrys-r14-dmip on 2009/11/18 18:42:22
> *pending*
> 
>         For TED00027544 "still seeing Add check for broken ssh host
> keys in /etc/ssh and replace keys"
> 
>         There potentially exists a problem of old vulnerable (aka
> blacklisted) ssh keys being reintroduced into a filer running 4.0.3.0
> or later release when a system config recover or the initial
> configuration is run and pulls the confguration files from the
> standby flash after sshd starts for the first time.
> 
>         Also a problem could exist when a filer is downgraded from
> 4.0.3.0 (or later release) to an earlier root file system and then
> moved back to 4.0.3.0 (or later).
> 
>         The solution is to remove /etc/default/.hostkeychecked after a
>         system upgrade is run and also whenever the system
> configuration files are recovered from the standby flash. This
> triggers a vulnerable key check and regeneration of the ssh keys if
> needed when sshd is started.
> 
>         Reviewed by:
> 
> Affected files ...
> 
> ... //depot/dev/nfx-tree/code/ssc-initial-config/initial-config.c#15
> edit ... //depot/dev/nfx-tree/code/ssc-nfxsh/cmd_flash.c#23 edit
> ... //depot/dev/nfx-tree/code/ssc-nfxsh/verify_install.in#15 edit