ideas 2
Garance A Drosihn
drosih at rpi.edu
Wed Jul 28 13:27:53 PDT 2004
At 11:13 AM -0700 7/28/04, Matthew Dillon wrote:
Someone else wrote:
:
:/usr/src/crypto/openssh/ssh_config
:
:- # Protocol 2,1
:+ Protocol 2
I'm kinda on the fence on changing this. I've actually
done this on personal machines before but it always
creates problems with programs like 'scp' which do not
have a '-1' option.
I use ~/.ssh/config to handle outgoing connections to hosts
which must have protocol 1. That works fine for scp, and is
not as messy as typing in '-o protocol=1' on each scp command.
And the big advantage is: You don't have to remember to add it
each time you need it...
: Using a special banner is a good way to let everyone know
: if you're vulnerable to some attacks...
:
:/usr/src/crypto/openssh/version.h
:
:- #define SSH_VERSION_ADDENDUM "DragonFly-20030916B"
:+ #define SSH_VERSION_ADDENDUM ""
A lot of people did this sort of thing with sendmail when
sendmail was going through a number of security issues a
few years ago, but it didn't stop the attacks. Also,
there are other ways to detect the ssh version number. I
would rather not change this.
I hope you do not. Obscuring the version numbers just annoys
"good guys" when debugging or administering machines, and for
the most part does not slow down the "bad guys" at all. If
someone wants to know if you have an exploit, they usually
just try the exploit and see if they have broken in.
If some administrator is running a known-buggy version of sshd
(or any other daemon), then they NEED to upgrade that version.
Hiding behind some null version number does not actually
protect their machine. Particularly if all users of an OS
will have a null version, then the exploit is just going to
check for sshd's with null versions.
:8) Please make /tmp cleaning at boot time a default setting.
: It's a good thing for privacy and security.
Well cleaning out /tmp at boot is a bad idea in general
because [...]. One could institute removal based on a
file age, and many do, but I'm not sure we should do it
by default.
I once had the vague idea that it would be nice to keep the
dmesg output from the last 5 or more reboots (copies of
/var/run/dmesg.boot, in /var/db/dmesg or somesuch). If the
OS did that, you could then remove all files which were
more than "two reboots" old. But I do not know if it makes
much sense to do any date-related checks, since /tmp will
include files which might in fact be "new", but have old
dates on them because they were created from tar archives
or `cp -p' or just `mv'-ing them from somewhere else.
The other thing I thought it might be nice to do would be to
create a /tmp/.reboot/<date> directory at reboot, and then
move everything from /tmp/* (except /tmp/.reboot) into that
directory. That way the files are there if you want them,
but they are moved out of /tmp so they won't conflict with
any new files which are created. Later, you can have
something remove a whole /tmp/.reboot/<date> directory,
based on whatever criteria seems reasonable.
--
Garance Alistair Drosehn = gad at xxxxxxxxxxxxxxxxxxxx
Senior Systems Programmer or gad at xxxxxxxxxxx
Rensselaer Polytechnic Institute or drosih at xxxxxxx
More information about the Kernel
mailing list