DragonFly BSD
DragonFly kernel List (threaded) for 2004-07
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: ideas 2


From: Garance A Drosihn <drosih@xxxxxxx>
Date: Wed, 28 Jul 2004 16:23:57 -0400

At 11:13 AM -0700 7/28/04, Matthew Dillon wrote:
Someone else wrote:
:
:/usr/src/crypto/openssh/ssh_config
:
:-       #   Protocol 2,1
:+       Protocol 2

    I'm kinda on the fence on changing this.  I've actually
    done this on personal machines before but it always
    creates problems with programs like 'scp' which do not
    have a '-1' option.

I use ~/.ssh/config to handle outgoing connections to hosts which must have protocol 1. That works fine for scp, and is not as messy as typing in '-o protocol=1' on each scp command. And the big advantage is: You don't have to remember to add it each time you need it...

:   Using a special banner is a good way to let everyone know
:   if you're vulnerable to some attacks...
:
:/usr/src/crypto/openssh/version.h
:
:-	#define SSH_VERSION_ADDENDUM	"DragonFly-20030916B"
:+	#define SSH_VERSION_ADDENDUM	""

    A lot of people did this sort of thing with sendmail when
    sendmail was going through a number of security issues a
    few years ago, but it didn't stop the attacks.   Also,
    there are other ways to detect the ssh version number.  I
    would rather not change this.

I hope you do not. Obscuring the version numbers just annoys "good guys" when debugging or administering machines, and for the most part does not slow down the "bad guys" at all. If someone wants to know if you have an exploit, they usually just try the exploit and see if they have broken in.

If some administrator is running a known-buggy version of sshd
(or any other daemon), then they NEED to upgrade that version.
Hiding behind some null version number does not actually
protect their machine.  Particularly if all users of an OS
will have a null version, then the exploit is just going to
check for sshd's with null versions.

:8) Please make /tmp cleaning at boot time a default setting.
:   It's a good thing for privacy and security.

    Well cleaning out /tmp at boot is a bad idea in general
    because [...].  One could institute removal based on a
    file age, and many do, but I'm not sure we should do it
    by default.

I once had the vague idea that it would be nice to keep the dmesg output from the last 5 or more reboots (copies of /var/run/dmesg.boot, in /var/db/dmesg or somesuch). If the OS did that, you could then remove all files which were more than "two reboots" old. But I do not know if it makes much sense to do any date-related checks, since /tmp will include files which might in fact be "new", but have old dates on them because they were created from tar archives or `cp -p' or just `mv'-ing them from somewhere else.

The other thing I thought it might be nice to do would be to
create a /tmp/.reboot/<date> directory at reboot, and then
move everything from /tmp/* (except /tmp/.reboot) into that
directory.  That way the files are there if you want them,
but they are moved out of /tmp so they won't conflict with
any new files which are created.  Later, you can have
something remove a whole /tmp/.reboot/<date> directory,
based on whatever criteria seems reasonable.

--
Garance Alistair Drosehn            =   gad@xxxxxxxxxxxxxxxxxxxx
Senior Systems Programmer           or  gad@xxxxxxxxxxx
Rensselaer Polytechnic Institute    or  drosih@xxxxxxx



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]