> Dennis Clarke wrote: >>> >>>> Still missing the aes256-cbc ciphers etc etc for various reasons. >>>> Mostly government export controls, not technical. >>>> >>> Import controls but probably not relevant anymore (we ship all >>> the 256 bit ciphers in a download available to almost everyone) >>> >> >> Is it in the shipping pro > > Not for SSH because the code changes to get it to do so weren't deemed > worthwhile. > > For the vast majority of people AES with a 128 bit key is more than > enough, IMO using anything higher for most people is really just burning > CPU.
yeah .. but I see those black helicopters and hear funny noises on my telephone :-) >>>> Auditing ? >>>> >>>> Please explain. Do you mean the entries in wtmpx etc etc ? >>>> >>> No, BSM auditing. (Full audit trail of all actions performed >>> by user after logging in) >>> >>> >> >> You mean its possible to login to a Solaris 10 server by some method and >> completely slip under the radar of the audit processes ? Wow .. thats >> just totally scary. >> >> > Not on a default Solaris 10 system it isn't. On a system where the > system admin is explicitly choosen to install software that doesn't > write audit records it is. The login application is fully trusted (it > has to be) and it is responsible for writing the audit records - it was > the one that did the authentication and session setup. Let me just walk through this .. slowly. Let's suppose that a user has used svcadm to disable access via ftp and telnet and also has disable the Sun SSH gear. so disable this : # svcs -av | egrep -i "ssh|ftp|telnet" disabled - Aug_02 - svc:/network/telnet:default disabled - Aug_02 - svc:/network/ftp:default online - Aug_02 51 svc:/network/ssh:default Then we install or build some other OpenSSH packages and start them up. So then we have this : # svcs -av | egrep -i "ssh|ftp|telnet" legacy_run - 3:55:29 65 lrc:/etc/rc2_d/S96opensshd disabled - 3:54:44 - svc:/network/ssh:default disabled - 3:55:13 - svc:/network/telnet:default disabled - 3:55:13 - svc:/network/ftp:default Put in ipf.conf and get ipfilter running such that no one gains access in any way other than via port 22. In fact .. the sshd_config has only basic entries like : Protocol 2 # the address below is some internal trusted network ListenAddress xxx.xxx.xxx.xxx PermitRootLogin no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no UsePAM yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no <--------------- this bugs me #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /opt/csw/libexec/sftp-server # Now then .. I can ssh into that box and I do see an entry in wtmpx and the "last" command says that I am in. >From here on in I can run amok and the audit processes will not track a thing that I do? I just want to know really. Dennis _______________________________________________ opensolaris-discuss mailing list [email protected]
