tech-security: OpenSSH installation from package source

Subject: OpenSSH installation from package source
To: packages@netbsd.org, tech-security <tech-security@netbsd.org>
From: Ing.,BcA. Ivan Dolezal <ivan.dolezal@vsb.cz>
List: tech-security
Date: 07/01/2002 13:36:07

Hello,

    I don't know whether you take this for a bug or a feature, but...

I was running OpenSSH since 1.5.2 installation. This was running from 
/usr/sbin/sshd , which is OpenSSH_2.5.1

After reinstalling the package I found out that the new version 
installed itself into /usr/pkg/sbin/sshd, not replacing the one in 
/usr/sbin/sshd. It didn't change the /etc/rc.d/sshd. It didn't adopt the 
old configuration file and keys. In other words: it was just a dead 
installation.

Unfortunately, it didn't even bother to give any warning that simple 
restarting with the /etc/rc.d/sshd definitely is not a sufficient action 
and that very explicit manual changes are required in order to switch to 
the new version.

IMHO: what if `make install' of this package just renamed the old files 
to some sshd.original, sshd_config.original etc. and softlinked into 
/usr/pkg/sbin, /usr/pkg/etc ... ?