Upgrading Cyclades TS2000 from 1.3.4 to 1.4.0-3 (DRAFT)

This is a draft document; regular disclaimers apply.

Reasons for upgrade

ftp://ftp.cyclades.com/pub/cyclades/cyclades-ts/tsrelease.html describes bug-fixes and improvements in each firmware version. Of note, 1.3.12 repairs a severe security hole in ssh implementation (commands were being executed with root privilege when connecting to serial ports) as well as other vulnerabilities. All Cyclades terminal servers should be upgraded to that version, at least.

Process

Start from ftp://ftp.cyclades.com/pub/cyclades/cyclades-ts/

Briefly read the Upgrade Instructions in the User Guide for your HW in /doc (ftp://ftp.cyclades.com/pub/cyclades/cyclades-ts/doc/TS140_Manual.pdf) However, this guide is insufficient for doing the upgrade.

ftp://ftp.cyclades.de/pub/cyclades/cyclades-ts/upgrade_table_ts.htm cautions that you must apply one or more interim firmware upgrades before you can upgrade to the latest firmware, unless you want to discard customizations.

go to ftp://ftp.cyclades.com/pub/cyclades/cyclades-ts/released/ and choose your upgrade version (from 1.3.4 to 1.4.0, needs interim 1.3.8 first)

read upgrade_[version].txt once through.

http://www.cyclades.com/support/faqs.php?nid=252 has a better firmware installation procedure than the Manuals do; it states explicitly that, from the cyclades box, you're going to do something like:

 ftp ftp.cyclades.com
 hash
 bin
 lcd /proc/flash
 cd /pub/cyclades-ts
 get zImage_ts_134.bin zImage
 quit

(note; CSCF firewall required me to download from cyclades cscf.cs as in intermediary step).

It's important to check the md5sum for the download as described in http://www.cyclades.com/support/faqs.php?nid=252; if the download goes wrong and then you reboot, your kernel will be in trouble.

after you've applied the firmware upgrade according to those instructions: start going through the upgrade_[version].txt instructions. You must do ALL upgrades in sequence starting at the version you're currently running ("upgrading from version X").

A few tips (many which may be specific to CSCF)

• in upgrade 1.3.4, don't bother merging the sshd_config.conf now, you'll do it again in 1.3.9. make a copy of the old version elsewhere, and overwrite with the sshd_config.save.

• /etc/network/firewall in 1.3.6:

remove the last line ("-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 1 -j DENY") and to the end:

-A input -s 0.0.0.0/0.0.0.0 13:13 -d 0.0.0.0/0.0.0.0 -p 1 -j DENY
-A input -s 0.0.0.0/0.0.0.0 14:14 -d 0.0.0.0/0.0.0.0 -p 1 -j DENY

/*(verify that was correct)*/

• pslave.conf goes through some major changes in 1.3.6. Either steal a copy from cts1.cscf, if your install is similar; or use these diffs between the stock v1.3.6 conf (pslave.conf.save) and the proper one for cts1.cscf:

$ diff cts1-pslave.conf.save cts1-pslave.conf.new
86c86,87
< conf.dhcp_client       2
---
> #conf.dhcp_client       2
> conf.dhcp_client        0
89a91,92
> conf.eth_ip     129.97.15.10
> conf.eth_mask   255.255.255.0
217,218c220,222
< all.authtype    none
< #
---
> #all.authtype    none
> all.authtype    local
>
248c252,253
< all.protocol    socket_server
---
> #all.protocol   socket_server
> all.protocol    socket_ssh
264c269
< #all.ipno       192.168.1.101+
---
> all.ipno        192.168.1.101+
531a537
> all.dont_show_DBmenu 0
541a548
> all.DB_timestamp        0
638a646
> all.multiple_sessions   yes
646c654
< #all.escape_char ^z
---
> all.escape_char ^z

• /* I need to ask Dave whether we should turn on ntpclient? It's been off until now */

• /etc/syslog-ng/syslog-ng.conf in 1.3.8: a manual diff shows we were using the default, so replacing with new version.

• /etc/timezone: revert to .saved, and change later in the web interface.

• The only real mistake in the instructions is at upgrade 1.3.9; it says add group pmusers and chgrp pmusers /bin/pm . As noted in 1.3.12, you're going to remove the user again, so don't bother adding it.

• /etc/ssh/sshd_config for v1.3.9 can be overwritten for testing purposes, especially if you saved your old version instead of merging from 1.3.4.

• when you ultimately change sshd_config, in CSCF you can just add to the end:

PermitRootLogin yes
IgnoreRhosts no
StrictModes yes
X11Forwarding yes
PrintMotd yes
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication yes
RhostsRSAAuthentication yes
HostbasedAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no

X11UseLocalhost no
UsePrivilegeSeparation no

• in upgrade 1.3.11, don't remove /etc/smnp/snmpd.conf from /etc/config_files, it's used by /etc/snmpd.sh. You will want to add /etc/snmpd.sh to /etc/config_files.

-- DanielAllen - 12 Oct 2005