|
|
Solaris 10 sshd
I am curious, does anyone know which version of OpenSSH the Solaris 10
sshd is based on and whether it is possible to enable privilege
separation with it?
-akop
|
|
0
|
|
|
|
Reply
|
 Akop
|
7/9/2004 7:37:51 PM |
|
Akop Pogosian <akopps+usenet@ocf.berkeley.edu.remuvthis.com> writes:
>I am curious, does anyone know which version of OpenSSH the Solaris 10
>sshd is based on and whether it is possible to enable privilege
>separation with it?
A fairly recent version but it does *not* support privilege
separation.
Privilege separation as implemented in OpenSSH is not compatible
with BSM and auditing; if you want it to reduce the risk of security
problems in OpenSSH I'd like to remind you that it is the implementation
of privilege separation which is responsible for the majority of
OpenSSH security problems over the past years; it adds a lot of
complexity while breaking much needed functionality.
We're looking into doing similar risk mitigation using
fine grained privileges available in Solaris 10.
Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
|
|
|
0
|
|
|
|
Reply
|
Casper
|
7/9/2004 8:31:43 PM
|
|
Casper H.S. Dik <Casper.Dik@Sun.COM> writes:
> implementation of privilege separation which is responsible for the
> majority of OpenSSH security problems over the past years; it adds
> a lot of complexity while breaking much needed functionality.
Which security issues were caused by privsep?
I know of two issues which were prevented/mitigated by privsep
([1],[2] and [3]), but don't know of any that were caused by it.
I'm looking at the OpenSSH (portable) site, are there Sun specific
advisories?
[1] http://www.openssh.com/txt/buffer.adv
[2] http://www.cert.org/advisories/CA-2003-24.html
[3] http://www.openssh.com/txt/preauth.adv
--
David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
|
|
|
0
|
|
|
|
Reply
|
David
|
7/10/2004 12:14:21 AM
|
|
David Magda <dmagda+trace040423@ee.ryerson.ca> writes:
>[1] http://www.openssh.com/txt/buffer.adv
>[2] http://www.cert.org/advisories/CA-2003-24.html
>[3] http://www.openssh.com/txt/preauth.adv
I think, e.g.,: http://www.openssh.com/txt/sshpam.adv
But anyway, even with standard OpenSSH you cannot use
privilege separation on Solaris because it breaks PAM.
Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
|
|
|
0
|
|
|
|
Reply
|
Casper
|
7/10/2004 6:53:41 AM
|
|
|
3 Replies
325 Views
(page loaded in 0.318 seconds)
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
25713 articles. 
78 followers. 