Dear Darren, Topposting for effect.
You write below: "I will not be changing this in Solaris." What? You are the final arbiter of what goes into Solaris? People are coming forward with concern about safety and system integrity, and you rebuff them with the "Go play with your marbles on the other side of the courtyard and leave the big boys to the serious business" attitude? I work at a fortune 200, in healthcare, and we are a large Sun customer. Let me tell you how it is from the trenches: Sun stuff sucks. It's much better than Microsoft or IBM, but it still blows chunks. We're using Solaris 8, and most of the admins here are clueless, asking us inane stuff like hardcoding our user passwords in scripts because policy says that we cannot have service accounts (not that I am following their advice, mind you). Now, there are a hosts of issues, and for brevity's sake, I will not mention them. Let me just tell you that Sun's stuff is what I use when I absolutely have no other option. I run Debian stable for my own stuff and it's so much better for me, lemme tell you. So when someone comes along, on their dime, and raises issues about security and system integrity, and not being uppity and all "We are the BEST company in the world Yayes!" (which if you want more of please navigate to http://blogs.sun.com/roller/page/mary), and asking in a mild manner and with the spirit of cooperation, whether a tool used specifically for enhanced security (SSH) can have a particular option, I the very least I expect you to demonstrate professional and respectful demeanor. On the particular issue, I would consider a flag, such as "Disable OS Identification to client" to be an acceptable option for all parties to consider. Now, to be fair, you may have been having a bad day. We all do from time to time. Just don't let your bad day affect the eagerness of participants to make this OS/distro better. Sincerely, Christopher Mahan [EMAIL PROTECTED] --- Darren J Moffat <[EMAIL PROTECTED]> wrote: > On Tue, 2006-01-10 at 03:10, Mike Bo wrote: > > > Do a search on "OS fingerprinting" and you'll find tools > (checkos, nmap, etc.) which can determine a remote OS and version > simply by observing the behavior of the networking stack. But with > SunSSH, you don't even need any extra tools because the daemon > itself betrays the host OS. When the string changes, it will become > even easier to script a version specific attack for the latest > Solaris or the FTP, BIND, or other utilities that it installs (or > includes on a companion CD). > > Which is EXACTLY why hiding this in the banner printed by SSH > is pointless. > > You do realise that if you change this the client and server > may have interop problems with over clients and servers ? > > I will not be changing this in Solaris. However you are more than > free > to build your own version of SSH from the Sun modified sources that > are > available from opensolaris.org, or choose to run with a broken PAM > implementation by using the current bits from OpenSSH. > > > -- > Darren J Moffat > > _______________________________________________ > opensolaris-discuss mailing list > [email protected] > __________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com _______________________________________________ opensolaris-discuss mailing list [email protected]
