Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Mike O'Conno » Wed, 06 Feb 2002 06:43:34



http://www.eweek.com/article/0,3658,s%253D708%2526a%253D21767,00.asp
refers to "Solaris Secure Shell", a new product that is coming of the
upcoming Solaris9.  Has anyone had experience with it?  Is it based off
OpenSSH, ssh.com, or something else?  Is it a native part of Solaris9,
or some sort of separate add-on affair?  How well does it interoperate
with other ssh implementations "out there"?  

--

 Royal Oak, Michigan | (has my PGP & Geek Code info) | Phone: +1 248 427 4481
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Sometimes you're the windshield... sometimes you're the bug." -Mark Knopfler

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Youri Podchoso » Wed, 06 Feb 2002 12:12:47



> http://www.eweek.com/article/0,3658,s%253D708%2526a%253D21767,00.asp
> refers to "Solaris Secure Shell", a new product that is coming of the
> upcoming Solaris9.  Has anyone had experience with it?  Is it based off
> OpenSSH, ssh.com, or something else?  Is it a native part of Solaris9,
> or some sort of separate add-on affair?  How well does it interoperate
> with other ssh implementations "out there"?

[ First, very superficial, impressions ]

It looks like a derivative of OpenSSH, version 2.9.9p1 or later. The
reported version string is:

$ ssh -V
SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.

2.9.9p1 comes from the observation that Sun SSH uses merged
authorized_keys file which IIRC first appeared in the said release of
OpenSSH. OTOH I can't see moduli in /etc/ssh, and
SKey/ChallengeResponseAuthentication mode is not supported, so it isn't
exactly OpenSSH. Client, server, sftp, protocol 1 and 2, RSA and DSA
keys, whatever seemingly works with other OpenSSH versions/platforms,
haven't encountered any problems yet.

--
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL

L  Logicworks (a.k.a. DTI)   \\\  Web: http://www.ynp.net  L
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by ger.. » Wed, 06 Feb 2002 13:53:55




Quote:> http://www.eweek.com/article/0,3658,s%253D708%2526a%253D21767,00.asp
> refers to "Solaris Secure Shell", a new product that is coming of the
> upcoming Solaris9.  Has anyone had experience with it?  Is it based off
> OpenSSH, ssh.com, or something else?  Is it a native part of Solaris9,
> or some sort of separate add-on affair?  How well does it interoperate
> with other ssh implementations "out there"?  

Beta refresh is OpenSSH 2.9p2 as I recall. Its added during
installation.  There are about 6 packages altogether. Sorry I dont
have the 9 boxes up right now. You can always upgrade to 3.x.x and
keep your old keys once generated... And they are generated the first
time you get to run level 3 I think it is.
 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Darren Moffa » Thu, 07 Feb 2002 09:00:50



> http://www.eweek.com/article/0,3658,s%253D708%2526a%253D21767,00.asp
> refers to "Solaris Secure Shell", a new product that is coming of the
> upcoming Solaris9.  Has anyone had experience with it?  Is it based off
> OpenSSH, ssh.com, or something else?  Is it a native part of Solaris9,

It is part of the End User install cluster for Solaris 9EA.

It comes in 5 packages:
        SUNWsshcu       Common (just ssh-keygen at this time)
        SUNWsshdr       Daemon (root)
        SUNWsshdu       Daemon (usr)
        SUNWsshr        Client (root)
        SUNWsshu        Client (usr)

Quote:> or some sort of separate add-on affair?  How well does it interoperate
> with other ssh implementations "out there"?

It isn't based on a specific version of OpenSSH, most if not all of
2.9.x is there this is due to the way development works in Solaris.
We take specific bug fixes and features on merit and try as hard as
possible to stay in sync.  This is why the version number is different.

Sun has added support for BSM auditing, I18N/L10N support and
two proxy commands - SOCKS5 and HTTP.

The BSM audit changes well be given back to the OpenSSH team soon.

--
Darren J Moffat
  This posting does not constitute official support from Sun Microsystems Inc.

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Nico Kadel-Garci » Thu, 07 Feb 2002 13:19:29




> > http://www.eweek.com/article/0,3658,s%253D708%2526a%253D21767,00.asp
> > refers to "Solaris Secure Shell", a new product that is coming of the
> > upcoming Solaris9.  Has anyone had experience with it?  Is it based off
> > OpenSSH, ssh.com, or something else?  Is it a native part of Solaris9,

> It is part of the End User install cluster for Solaris 9EA.

> It comes in 5 packages:
> SUNWsshcu Common (just ssh-keygen at this time)
> SUNWsshdr Daemon (root)
> SUNWsshdu Daemon (usr)
> SUNWsshr Client (root)
> SUNWsshu Client (usr)

Cool. *PLEASE* tell me that you've compiled it "--without-login", since the
Sun implementation of /bin/login has proven vulnerable to those attacks, and
compiled it "--without-rsh", since there is no excuse for using rsh when ssh
is available or for ssh to ever fall through to use rsh.

In fact, please tell me that you've ripped out rsh entirely: it was a really
bad idea in smaller local environments, and is simply disastrous now.

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by John D Groenve » Thu, 07 Feb 2002 14:16:25




>In fact, please tell me that you've ripped out rsh entirely: it was a really
>bad idea in smaller local environments, and is simply disastrous now.

Since the Solaris 8 release notes do not warn of it, then you can
trust that rsh will still be there in 9. Hopefully by Solaris 10 many of
these services will be turned off by default. Don't count on it.
John

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Joerg Schilli » Thu, 07 Feb 2002 18:39:36






>>In fact, please tell me that you've ripped out rsh entirely: it was a really
>>bad idea in smaller local environments, and is simply disastrous now.
>Since the Solaris 8 release notes do not warn of it, then you can
>trust that rsh will still be there in 9. Hopefully by Solaris 10 many of
>these services will be turned off by default. Don't count on it.

If you turn off rsh, then you will no more able to do remote tape
backups!

If you properly configure the services (and use the rmt program that
comes with star and allows additional security setup)  using rsh is OK
inside a selected cluster of hosts.

--



URL:  http://www.fokus.gmd.de/usr/schilling    ftp://ftp.fokus.gmd.de/pub/unix

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Gerd Marquar » Thu, 07 Feb 2002 19:55:27




|>
|> > http://www.eweek.com/article/0,3658,s%253D708%2526a%253D21767,00.asp
|> > refers to "Solaris Secure Shell", a new product that is coming of the
|> > upcoming Solaris9.  Has anyone had experience with it?  Is it based off
|> > OpenSSH, ssh.com, or something else?  Is it a native part of Solaris9,
|>
|> It is part of the End User install cluster for Solaris 9EA.
|>
|> It comes in 5 packages:
|>   SUNWsshcu       Common (just ssh-keygen at this time)
|>   SUNWsshdr       Daemon (root)
|>   SUNWsshdu       Daemon (usr)
|>   SUNWsshr        Client (root)
|>   SUNWsshu        Client (usr)
|>
|> > or some sort of separate add-on affair?  How well does it interoperate
|> > with other ssh implementations "out there"?
|>
|> It isn't based on a specific version of OpenSSH, most if not all of
|> 2.9.x is there this is due to the way development works in Solaris.
|> We take specific bug fixes and features on merit and try as hard as
|> possible to stay in sync.  This is why the version number is different.
|>
|> Sun has added support for BSM auditing, I18N/L10N support and
|> two proxy commands - SOCKS5 and HTTP.
|>
|> The BSM audit changes well be given back to the OpenSSH team soon.

Why is HostbasedAuthentication for Protocol 2 not supported ?

 Gerd Marquardt

 Schlosswender Str. 5                    Tel. +49-511-762-4727
 D-30159 Hannover                        fax: +49-511-762-3003

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Nico Kadel-Garci » Thu, 07 Feb 2002 20:12:48







> >>In fact, please tell me that you've ripped out rsh entirely: it was a
really
> >>bad idea in smaller local environments, and is simply disastrous now.
> >Since the Solaris 8 release notes do not warn of it, then you can
> >trust that rsh will still be there in 9. Hopefully by Solaris 10 many of
> >these services will be turned off by default. Don't count on it.

> If you turn off rsh, then you will no more able to do remote tape
> backups!

Nonsense. "rm -f /usr/bin/rsh; ln -s /usr/local/bin/ssh /usr/bin/rsh" works
quite well to provide a much more secure transfer mechanism. So does running
tar and dd through a pipe enabled over ssh.

Quote:> If you properly configure the services (and use the rmt program that
> comes with star and allows additional security setup)  using rsh is OK
> inside a selected cluster of hosts.

I'm sorry, but the only proper way to configure rsh is to delete it
entirely. It is *entirely* too trusting of hostnames, which are easily
forged or spoofed, and relies on them as the fundamental login mechanism.

All I have to do is disable one rsh client machine's network connection,
spoof the hostname and possibly IP address on another machine, and I am in.
This is exceedingly dangerous.

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Neil W Ricker » Thu, 07 Feb 2002 22:31:15



>All I have to do is disable one rsh client machine's network connection,
>spoof the hostname and possibly IP address on another machine, and I am in.
>This is exceedingly dangerous.

Just unplug your network cable.  You will feel much safer.

The arguments "rsh should be deleted", "xhost should never be used"
are modern myths.  They are tools that can be used unwisely, and that
can be used wisely.  The complete condemnation is paranoid.

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Joerg Schilli » Thu, 07 Feb 2002 22:47:44




>> >>bad idea in smaller local environments, and is simply disastrous now.
>> >Since the Solaris 8 release notes do not warn of it, then you can
>> >trust that rsh will still be there in 9. Hopefully by Solaris 10 many of
>> >these services will be turned off by default. Don't count on it.

>> If you turn off rsh, then you will no more able to do remote tape
>> backups!

>Nonsense. "rm -f /usr/bin/rsh; ln -s /usr/local/bin/ssh /usr/bin/rsh" works
>quite well to provide a much more secure transfer mechanism. So does running
>tar and dd through a pipe enabled over ssh.

Looks like you never tried it out!

The connection for a remote tape backup is initiated via rcmd() which will
not work if the other side does not run rshd.

--



URL:  http://www.fokus.gmd.de/usr/schilling    ftp://ftp.fokus.gmd.de/pub/unix

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Joerg Schilli » Thu, 07 Feb 2002 22:55:16




>> If you properly configure the services (and use the rmt program that
>> comes with star and allows additional security setup)  using rsh is OK
>> inside a selected cluster of hosts.

>I'm sorry, but the only proper way to configure rsh is to delete it
>entirely. It is *entirely* too trusting of hostnames, which are easily
>forged or spoofed, and relies on them as the fundamental login mechanism.

>All I have to do is disable one rsh client machine's network connection,
>spoof the hostname and possibly IP address on another machine, and I am in.
>This is exceedingly dangerous.

So you did not read my last article where I stated that rsh should be used
for a small cluster of hosts. This could be e.g. all hosts inside a computer
center.

It also prooves that you did _not_ fetch star and read the documentaion
for rcmd. One important security enhancement with the rmt server from star
is that is may be installed as shell for a specific "tape" user.

If you use rsh unwise, you are lost, if you use it wisely you will be able to
use it to e.g. do backups with network speed (~ 11000 kB/s on a 100mb/s network).

--



URL:  http://www.fokus.gmd.de/usr/schilling    ftp://ftp.fokus.gmd.de/pub/unix

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Alan Coopersmi » Fri, 08 Feb 2002 00:05:49



|> If you turn off rsh, then you will no more able to do remote tape
|> backups!
|
|Nonsense. "rm -f /usr/bin/rsh; ln -s /usr/local/bin/ssh /usr/bin/rsh" works
|quite well to provide a much more secure transfer mechanism.

Actually, for ufsdump it does nothing.  To get ufsdump to use ssh you
need to provide a ssh-enabled version of rcmd() - I know of at least one
site that's done this for internal use using the Solaris source code,
and it might be possible to arrange it via LD_PRELOAD.

|All I have to do is disable one rsh client machine's network connection,
|spoof the hostname and possibly IP address on another machine, and I am in.
|This is exceedingly dangerous.

Only if you have insecure access to your network.  If both machines are
in a locked machine room, and their subnet is limited to the machine
room, the risk level is very low.  Whether or not it's low enough to be
acceptable is up to the local site to determine.

--
________________________________________________________________________


  Working for, but definitely not speaking for, Sun Microsystems, Inc.

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by Joerg Schilli » Fri, 08 Feb 2002 01:14:23





>|> If you turn off rsh, then you will no more able to do remote tape
>|> backups!
>|
>|Nonsense. "rm -f /usr/bin/rsh; ln -s /usr/local/bin/ssh /usr/bin/rsh" works
>|quite well to provide a much more secure transfer mechanism.

>Actually, for ufsdump it does nothing.  To get ufsdump to use ssh you
>need to provide a ssh-enabled version of rcmd() - I know of at least one
>site that's done this for internal use using the Solaris source code,
>and it might be possible to arrange it via LD_PRELOAD.

The same applies to "star". If you like a fast connection, you need to use
rcmd().

GNU tar is the only program I am aware of that uses rsh to establish a remote
connection. It is noticable slower on remote mode for this reason.

--



URL:  http://www.fokus.gmd.de/usr/schilling    ftp://ftp.fokus.gmd.de/pub/unix

 
 
 

Anyone used Solaris Secure Shell, Sun's productized ssh for Solaris9?

Post by John D Groenve » Fri, 08 Feb 2002 02:56:06




>Only if you have insecure access to your network.  If both machines are
>in a locked machine room, and their subnet is limited to the machine
>room, the risk level is very low.  Whether or not it's low enough to be
>acceptable is up to the local site to determine.

Most Solaris hosts are probably not on such a network. In fact, they're
like sitting next to some Windows host running some packet sniffer
code hidden inside yet another Outlook virus relaying all your jewels
via http to some Redhat5 box sitting in some Chinese province you've
never heard of.

Disabled by default would be a nice start when secure alternatives exist.
John