Professional Web Applications Themes

SSH - Sun Solaris

On Sun, 5 Oct 2003 23:03:51 +0200 "UNIX admin" <com> wrote:  > > Now this is true nonsense. Obviously, you neglected the fact that, though > still vulnerable, an SSH session is encrypted, while a telnet session is in > plain text. It should be quite obvious, knowing these facts, to conclude > that even a vulnerable SSH is superior to telnet.[/ref] Surely you are joking. First of all, your telnet is unlikely to be sniffed. Second, if it is, the attacker needs to have access somewhere in your network. A vulnerable ssh is vulnerable from anywhere without extra work. ...

  1. #21

    Default Re: SSH

    On Sun, 5 Oct 2003 23:03:51 +0200 "UNIX admin" <com> wrote: 
    >
    > Now this is true nonsense. Obviously, you neglected the fact that, though
    > still vulnerable, an SSH session is encrypted, while a telnet session is in
    > plain text. It should be quite obvious, knowing these facts, to conclude
    > that even a vulnerable SSH is superior to telnet.[/ref]

    Surely you are joking. First of all, your telnet is unlikely to be sniffed.
    Second, if it is, the attacker needs to have access somewhere in your
    network.

    A vulnerable ssh is vulnerable from anywhere without extra work.

    /fc
    Frank Guest

  2. #22

    Default Re: SSH

    On Sun, 05 Oct 2003 20:23:11 -0400, wrote:
     
    >>
    >>You got a bit mixed up there. The URL is for the commercial version of
    >>SSH. OpenSSH is at http://www.openssh.org.[/ref]
    >
    > Re-read his post ...
    >
    > He was talking about buying the commercial version, he just didn't
    > word it very well :)[/ref]

    Yep, you are correct.

    But the commercial version has had its share of root holes, too. Just
    because one pays for a product does not ensure its security.

    Dave Guest

  3. #23

    Default Re: SSH

    On Sun, 05 Oct 2003 19:44:58 -0500, Dave Uhring <com>
    wrote:
     
    >>
    >> Re-read his post ...
    >>
    >> He was talking about buying the commercial version, he just didn't
    >> word it very well :)[/ref]
    >
    >Yep, you are correct.
    >
    >But the commercial version has had its share of root holes, too. Just
    >because one pays for a product does not ensure its security.[/ref]

    I agree.

    Also, take a look at the current prices:

    http://esd.element5.com/product.html?productid=506798

    *ouch*


    Regards,

    Tom Hall

    Tom Guest

  4. #24

    Default Re: SSH

    On Sun, 05 Oct 2003 21:04:00 -0400, wrote: 

    There are probably thousands of pin-headed managers who will gladly pay
    that price, too, and reject OpenSSH just because it -is- free.

    Dave Guest

  5. #25

    Default Re: SSH

    On Sun, 05 Oct 2003 20:28:31 -0500, Dave Uhring <com>
    wrote:
     
    >
    >There are probably thousands of pin-headed managers who will gladly pay
    >that price, too, and reject OpenSSH just because it -is- free.[/ref]

    Very true .... I used to run into a lot of "but, who will we sue ?"
    sort of when trying to get approval to use "free" software.

    But, many managers are really starting to change their tune due the
    current economic climate in IT and the push to get their budgets
    under control.


    Regards,

    Tom Hall

    Tom Guest

  6. #26

    Default Re: SSH

    On Sun, 05 Oct 2003 22:33:11 -0400, Tom Hall wrote:
     

    The answer to that question is always "nobody" regardless of the software
    vendor. Care to guess how many millions MSFT has paid in damages for
    defective products? Billg's own demo machines went BSOD at his "roll out"
    ceremonies for NT-4.

    Dave Guest

  7. #27

    Default Re: SSH

    On 05 Oct 2003 12:45:19 -0400, dmagda+ryerson.ca wrote: 
    >[...]
    >
    >I believe binaries of the latest version of both of these are
    >available on blastwave.org as well.[/ref]

    yeup.

    # pkg-get -U -u openssl openssh
    # /etc/init.d/opensshd stop; /etc/init.d/opensshd start



    There IS a 'restart' option, but that just sends a HUP signal.
    You gotta really kill the listening demon.
    The above method should not kill any active sessions, so should be
    safe to do "live". But, the sysadmin's motto is, or should be,
    "Be prepared", aka "expect the unexpected" ;-)


    --
    http://www.blastwave.org/ for solaris pre-packaged binaries with pkg-get
    Organized by the author of pkg-get
    [Trim the no-bots from my address to reply to me by email!]
    S.1618 http://thomas.loc.gov/cgi-bin/bdquery/z?d105:SN01618:D
    http://www.spamlaws.com/state/ca1.html
    Philip Guest

  8. #28

    Default Re: SSH

    Dave Uhring <com> writes: 
    >
    >There are probably thousands of pin-headed managers who will gladly pay
    >that price, too, and reject OpenSSH just because it -is- free.
    >[/ref]

    Ain't dat de troof. :o(

    --
    "The road to Paradise is through Intercourse."
    The uk.transport FAQ; http://www.huge.org.uk/transport/FAQ.html
    [email me at huge [at] huge [dot] org [dot] uk]


    Huge Guest

  9. #29

    Default Re: SSH

    Tom Hall <net> writes in comp.unix.solaris:
    |Very true .... I used to run into a lot of "but, who will we sue ?"
    |sort of when trying to get approval to use "free" software.

    The same people you sue when using commercial software - no one.
    Virtually all software licenses, freeware or commercial, contain
    many disclaimers about lack of warranty, limitation of user rights,
    etc.

    --
    __________________________________________________ ______________________
    Alan Coopersmith calberkeley.org
    http://www.CSUA.Berkeley.EDU/~alanc/ aka: COM
    Working for, but definitely not speaking for, Sun Microsystems, Inc.
    Alan Guest

  10. #30

    Default Re: SSH

    David Magda <dmagda+ryerson.ca> probably said: 

    You can link in things like that via PAM. I wrote an opie PAM module
    for Solaris some time ago;

    http://www.pir.net/pir/hacks/pam_opie.c

    P.

    --
    pir

    Peter Guest

  11. #31

    Default Re: SSH

    Tom Hall <net> writes: 
    [...]

    I take it these people have never read the license agreement? The one
    that says 'no warranty' (usually in big capital letters like the BSD
    license).

    --
    David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
    Because the innovator has for enemies all those who have done well under
    the old conditions, and lukewarm defenders in those who may do well
    under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
    David Guest

  12. #32

    Default Re: SSH

    Alan Coopersmith wrote:
     

    This is true, but you can still threaten the vendor with not
    buying any more of their stuff. If you are a big enough customer,
    they might care about this and fix something for you.

    - Logan

    Logan Guest

  13. Moderated Post

    Default Re: SSH

    Removed by Administrator
    diggler@joseff.net Guest
    Moderated Post

  14. #34

    Default Re: SSH

    On Mon, 6 Oct 2003 15:56:12 +0000 (UTC), Alan Coopersmith
    <calberkeley.org> wrote:
     

    Right, most companies will never sue a commercial company over
    software problems (although some have tried), but they like the fact
    that they have *someone* to try to hold accountable and apply pressure
    to -- someone else they can blame.

    It should be interesting to see where this Microsoft class-action
    lawsuit over the security defects in their products goes ...


    Regards,

    Tom Hall

    Tom Guest

  15. #35

    Default Re: SSH

    "Frank Cusack" <com> schrieb im Newsbeitrag
    news:savecore.net...
     
    sniffed. 

    Surely a bunch of you are jokers. Who in this day and age puts a machine out
    there in the wild with access allowed to just about anybody, from anywhere?
    There's this thing called a firewall, which, among other things, enables one
    to restrict where the [SSH, telnet] connection is allowed to come from.
    Boys, boys. Basic lesson of network security.

    Of course that SSH is going to be superior.


    UNIX Guest

  16. #36

    Default Re: SSH

    "Dave Uhring" <com> schrieb im Newsbeitrag
    news:com... 
    >
    > You got a bit mixed up there. The URL is for the commercial version of
    > SSH. OpenSSH is at http://www.openssh.org.[/ref]

    No I did not. ALTHOUGH was the key word there.

    And yes, I am recommending to go to the commercial version, hence, >>go to
    the source<<.

    BTW, you get the full source code on the CD when you buy the commercial
    version.


    UNIX Guest

  17. #37

    Default Re: SSH

    "Dave Uhring" <com> schrieb im Newsbeitrag
    news:com...
     

    You are correct; but it should ensure support.


    UNIX Guest

  18. #38

    Default Re: SSH

    <Tom Hall> schrieb im Newsbeitrag
    news:com... 

    You get what you pay for. An old saying, that doesn't need any proof.


    UNIX Guest

  19. #39

    Default Re: SSH

    "Dave Uhring" <com> schrieb im Newsbeitrag
    news:com...
     

    Well, I'm not a manager, and I wouldn't go with OpenSSH, but not because
    it's free (that's great, in fact), but because it's open -- too open.
    I like the bit about "security through obscurity", at least when script
    kiddies are concerned, and unless someone can show me in hard numbers that
    commercial SSH has had more holes than OpenSSH, I see no reason to switch to
    OpenSSH.

    And BTW, we have had numerous problems and portability issues with OpenSSH,
    especially on IRIX. Not to mention that even when you use compatible
    encryption protocols, it still won't play nice with commercial SSH (from
    this point on, OpenSSH and SSH, respectively).

    Turning debugging on the SSH server and when trying to connect with an
    OpenSSH client, SSH server will report at least one or more implementation
    bugs in the negotiating protocol. Perhaps that has been fixed, but I doubt
    it, since I suspect it's been done on purpose. When using an SSH client to
    an OpenSSH server, the connection will hang when you log out, because
    there's apparently some bit about the OpenSSH server not closing some
    descriptors properly. OpenSSH debugging doesn't pick it up of course, but
    commercial SSH does.


    UNIX Guest

  20. #40

    Default Re: SSH

    "Alan Coopersmith" <calberkeley.org> schrieb im Newsbeitrag
    news:bls3as$2s4p$berkeley.edu...
     

    Yes, but you should hear them begging from mercy and whining on the phone
    when you tell them to take their out of your shop and give you your
    money back or they lose the account, especially when it's $150,000 or more.
    And then they send the head-honcho salesmen who whine some more. In the end,
    they either give you your money back, or offer you an alternative that
    works.
    Freeware just doesn't work that way. It's a different animal. Maybe you guys
    are comparing apples and oranges here.


    UNIX Guest

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139