Sun hires Debian Linux founder (ZDNet)
At Sun, Murdock now holds the title of chief operating platforms officer. On his blog, he said he'll work both with Linux and Sun's competing, newly open-source Solaris. "I'm not saying much about what I'll be doing yet, but you can probably guess from my background and earlier writings that I'll be advocating that Solaris needs to close the usability gap with Linux to be competitive," he said on his blog. But it won't be just about Solaris at Sun: "Even with Solaris front and center, I'm pretty strongly of the opinion that Linux needs to play a clearer role in the platform strategy.""
Posted Mar 20, 2007 17:47 UTC (Tue)
by kh (guest, #19413)
[Link] (7 responses)
Posted Mar 20, 2007 20:25 UTC (Tue)
by cajal (guest, #4167)
[Link] (6 responses)
Posted Mar 20, 2007 21:31 UTC (Tue)
by nix (subscriber, #2304)
[Link] (5 responses)
Posted Mar 20, 2007 22:27 UTC (Tue)
by madscientist (subscriber, #16861)
[Link] (4 responses)
Obviously, you can't allow vanilla telnet across the Internet either! They set up a VPN between the two corporate networks, and only certain protocols were accepted across the VPN. Remote login, where allowed (which was rarely and only with a very compelling business case), was only available via telnet through the VPN.
Obviously there are other alternatives one could imagine, such as a custom sshd which logged everything clients did, but things get messy fast.
Posted Mar 21, 2007 4:28 UTC (Wed)
by fjf33 (guest, #5768)
[Link] (3 responses)
Posted Mar 21, 2007 13:30 UTC (Wed)
by madscientist (subscriber, #16861)
[Link] (2 responses)
Sorry, I don't understand the question. Can't what be proxied?
Posted Mar 21, 2007 17:43 UTC (Wed)
by vmole (guest, #111)
[Link] (1 responses)
I assume fjf33 was asking whether SSH can be proxied. The answer is no, not easily. Basically, a proxy that would do what the OP wanted (log activity) is equivalent to a man-in-the-middle attack, which SSH is designed to reject. One could write such a proxy, but a) you'd need to modify the clients to allow it, and b) it's not significantly easier (if at all) than writing a logging sshd.
Posted Mar 21, 2007 20:09 UTC (Wed)
by drag (guest, #31333)
[Link]
So say you have people that want to connect via ssh to various internal machines. Setup a single dedicated machine (call it 'Bob') (or maybe have a few different machines for each department or whatever) with a ssh server. Have them log into that machine, and then from that machine then ssh into the machines they ultimately need access to.
On the Bob server then you just log everything that is happenning.
I suppose there are security considuratiosn with that, but I can't imagine them being much different or worse then having a machine handle all VPN traffic with people telnet'ng everywere.
At least with ssh you can do key pairs and such.
That's good news for Sun I think, I am also happy to see them supporting the FSF. Maybe Ian can get them to drop running telnet by default and replace it with openssh.Sun hires Debian Linux founder (ZDNet)
That was already done. See the "Secure by Default" initiative that was merged into Solaris 10 Update 3.Sun hires Debian Linux founder (ZDNet)
I know at least one large merchant bank that immediately removed openssh Sun hires Debian Linux founder (ZDNet)
again and replaced it with telnet on the grounds that openssh was `a
security risk'. :((((
In some scenarios, it is a security problem. At my previous company they would not allow partners to use ssh across their firewalls into the corporate network, because the traffic is encrypted: it can't be monitored, logged, etc.Sun hires Debian Linux founder (ZDNet)
Can't it be proxied?Sun hires Debian Linux founder (ZDNet)
> Can't it be proxied?Sun hires Debian Linux founder (ZDNet)
Sun hires Debian Linux founder (ZDNet)
Probably the easy way to accomplish a 'ssh proxy' is to setup a simple ssh server to act as intermediary.Sun hires Debian Linux founder (ZDNet)