Dennis Clarke wrote:
Dennis Clarke wrote:
[...]
Personally I just use svcadm to disable the Sun shipped OpenSSH and
then I go with the packages from Blastwave. Works like a charm.
Unless, of course, you want auditing to work right or want support
>from Sun.
Auditing ?
Please explain. Do you mean the entries in wtmpx etc etc ?
As for Support ... gee ... get a support contract like I told you to.
I have one ... he has one .. they have theirs. Do YOU ??
insert Uncle SAM poster here
dc
He certainly refers to the SunSHIELD Basic Security Module (BSM)
auditconfig(1M), auditd, auditreduce, audit_startup, auditstat and
audit_warn.
wow
So you are saying that its possible for a user to do one of the following :
User no, the admin of the machine yes.
(1) downlod OpenSH source .. build it themselves
(2) get it from SunFreeware
(3) get it from Blastwave
and then access the system in a way that slips under the radar of the BSM
modules? The user can do whatever they want and not be tracked?
If the OpenSSH releases still aren't shipping with working BSM support
or it was built without it then yes the Solaris BSM Audit mask won't get
setup properly at login time.
This is spooky.
Sort of a barndoor left wide open security hole don't you think?
Yep, which is exactly why all of the login and screenlock programs
shipped as part of Solaris setup the Solaris BSM Audit mask in the
process creds properly.
It is also possible to build things like OpenSSH without PAM support and
bypass the system authentication policy that way, but just as above an
end user can't install that it needs to be the
admin and they are responsible for what they install - particularly when
it is system login components.
--
Darren J Moffat
_______________________________________________
opensolaris-discuss mailing list
[email protected]
