* on the Sun, Jan 08, 2006 at 01:13:15AM -0800, Mike Bo was tippering: > Darren wrote: > > Why not ? Why can't OpenSolaris just be as quick as OpenBSD ? > > When there is a problem with OpenSSH, does the Sun team investigate whether > it affects their forked code base? If so, don't they have to port the fix > and then do regression testing? Doesn't this take time? > > > It is also worth noting that some of the security bugs that have impacted > > the OpenSSH code in recent years have NOT impacted the SSH > > in Solaris. > > That's cool... congrats.
So, erm..what does that mean? Are you ^trying^ to be snotty or is that a point. > > So why is it okay to advertise that it is OpenSSH but not okay to > > advertise the OS ? > > I believe that knowing a machine's OS could possibly help an attacker > exploit version-specific security vulnerabilities. It's pretty darn easy these days to guess the OS. There are one too many tools that can help you do this... and truly, "security through obscurity" has never really helped secure anything. > > Have you actually read the SSH protocol specification ? > > No, I'm not an SSH developer. But UNIX admins are often in a position to > decide which SSH implementation to use. It might be interesting to read a > "how to" document that illustrates the SunSSH enhanced functionality with > practical examples. But until the real benefits outweigh a perceived risk, I > will continue to replace SunSSH with OpenSSH. You are welcome to do what you want...(and frankly no one cares), but Darren has provided some very valid points. Sun's SSH does come with additional functionality out of the box and is supported. No one is holding your hands or preventing you to run one version over the other. -- Bruno Delbono Open-Systems Group Inc. http://www.open-systems.org/users/bruno/
pgpOv675lyEiM.pgp
Description: PGP signature
_______________________________________________ opensolaris-discuss mailing list [email protected]
