>Darren wrote: >> Why not ? Why can't OpenSolaris just be as quick as OpenBSD ? > >When there is a problem with OpenSSH, does the Sun team investigate >whether it affects their forke d code base? If so, don't they have to >port the fix and then do regression testing? Doesn't this ta ke time?
Yes, and we also forward port new features. And while it may take time there's no reason why our investigation should start after the OpenSSH fixes have been released. >I believe that knowing a machine's OS could possibly help an attacker >exploit version-specific security vulnerabilities. How do you exploit OS version specific vulnerabilities if all you can connect to is SSH? And if you can connect to SSH, how much trouble do you think it is to try all exploits in order? >> Have you actually read the SSH protocol specification ? > >No, I'm not an SSH developer. But UNIX admins are often in a position >to decide which SSH implemen tation to use. It might be interesting to >read a "how to" document that illustrates the SunSSH enha nced >functionality with practical examples. But until the real benefits >outweigh a perceived risk, I will continue to replace SunSSH with >OpenSSH. Darren's suggestion about reading the protocol spec was to make clear why it is we cannot change the banner strings. IT IS A REQUIREMENT OF THE SSH SPEC TO INCLUDE IMPLEMENTATION AND VERSION INFORMATION IN THE BANNER. If you change the version string, interoperability ceases and SSH no longer works. I'm not sure what benefit you perceive from using an implementation of SSH which is less well integrated (barely working PAM and other missing items) considering the additional maintenance burden it places on you. Casper _______________________________________________ opensolaris-discuss mailing list [email protected]
