On Fri, 2005-12-23 at 20:22, Mike Bo wrote: > First, Sun support is great. However, there are frequent revisions to > OpenSSH. When time is of the essence, like immediately following the > discovery of a weakness, OpenSSH is going to be patched almost immediately. > With all due respect to Sun, I don't think they can possibly be as responsive.
Why not ? Why can't OpenSolaris just be as quick as OpenBSD ? Please give solid reasons rather than "I don't think". We try very hard to be as quick as we can but sometimes we don't find out quickly enough. It is also worth noting that some of the security bugs that have impacted the OpenSSH code in recent years have NOT impacted the SSH in Solaris. > Second, when you connect to a Sun supplied sshd (try "telnet host 22"), it > identifies itself as "SSH-2.0-Sun_SSH_1.1". Sorry, but I don't want any of my > machines identifying what OS they are running - especially if they are > accessible from the Net. (I'm aware that certain peculiarities of TCP stack > behavior can also tell a smart hacker what OS is being run, I just don't like > advertising.) So why is it okay to advertise that it is OpenSSH but not okay to advertise the OS ? Have you actually read the SSH protocol specification ? If you have then I'm sure you understand exactly why it is necessary that the SSH product version is in there. The reason it says Sun_SSH_1.1 and not OpenSSH* is because we forked the code and some of the changes we have the OpenSSH/OpenBSD team are not interested in - primarily the I18N/L10N changes. Note also that the Sun SSH developers (me included) consider the PAM support in OpenSSH to be broken and we have tried for several years (as have others) to convince the OpenSSH developers to change things. Huge progress has been made but they aren't quite there yet in our opinion (we often just get back "but we think PAM is broken" - and that doesn't actually help). The forked version of OpenSSH in Solaris also has better GSS-API support it is fully integrated with SMF (which BTW did involve code change to ensure that svcadm restart works as expected) it has I18N/L10N support and BSM audit support. -- Darren J Moffat _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
