Contributed by Dengue on from the saves-me-a-lot-of-time dept.
" Daily Daemon News points to a Register story talking about the enhanced security features of Solaris 9. In particular, they will be using OpenSSH code and submitting enhancements made back to the community. All the Solaris 9 info at docs.sun.com requires subscription/membership."
(Comments are closed)
By Chris () on
By mra () on
Yea the LDAP PKI infrastructure is really cool, and it certainly is much better than nis(+), so while I'm glad they are giving that back to the code base I'm still bothered that they felt they needed to break compatability *with all existing implimentations*.
Comments
By Anonymous Hero () on
thanks. :)
Comments
By Anonymous Hero () on
can you elaborate on this, or point to someplace that already does?
er, already has?
By mra () on
By Technofiend () on
I have a Solaris 9 beta box (the iso's can be freely downloaded from sun.com.)
You can ssh TO almost any box FROM your Solaris 9 machine.
Only the very latest openssh (3.2.1) succeeds connecting TO Solaris 9.
Anything else reports a variety of errors; unable to complete key exchange, RSA key checksum didn't match, etc.
My guess is public pressure will make them fix it or the openssh community will adapt. Nothing keeping ya from loading your own openssh right on top of it anyway.
Comments
By mra () on
I doubt they will "fix it" since there is already an OpenSSH version that supports their version, and SSH.com is working on a version that will support them as well.
What really bothers me about this is that a Sun engineer is the working group chair for SSH, yet they still felt they could break the spec. The whole thing seems like embrace and extend.
By Darren Moffat () Darren.Moffat@Sun.COM on mailto:Darren.Moffat@Sun.COM
There is no LDAP specific code in the OpenSSH that is in Solaris.
All we added was the following:
1. BSM audit code (which has now been donated back to OpenSSH)
2. L10N/I18N of messages that get sent to the user (Last I spoke with Theo on this issue they didn't want this code for OpenBSD).
3. Two standalone proxy commands one for SOCKS5 and one for HTTP.
4. The code was also linted.
We did change the vendor part of version string but this is perfectly in spec. The
reason for this being we don't want to identify it as OpenSSH because
it isn't 100% OpenSSH cod. Also because of the version of OpenSSH we started with didn't implement rekeying. There will be an effort to get back in sync with OpenSSH in a future revision of Solaris - we will assess at that time if it is appropriate to keep Sun_SSH as the vendor component or revert to OpenSSH.
By having a different vendor string it helps in identifying any bugs because it is obvious who to contact.
The portable OpenSSH uses PAM, and as such we get the ability to authenticate using the pam_ldap module on Solaris. There was no code added by Sun to do this it all comes from the portable OpenSSH work.
I'm not ware of any plans for giving any LDAP code "back" to anyone.