Jan Pechanec's weblog

The "Solaris 10 Security Essentials" book is on sale, and you can get it from Amazon now. I was one of those about 20 engineers from the Solaris security organization who wrote the book. Looking forward to get my copy. Product Details * Paperback: 312 pages * Publisher: Prentice Hall PTR 1st edition (November 19, 2009) * Language: English * ISBN-10: 0137012330 * ISBN-13: 978-0137012336

I have generated a PKCS#11 patch for OpenSSL 0.9.8l. It includes one new feature I have recently integrated into Nevada - RSA Keys by Reference.[Read More]

I have just done my putback to the SFW gate for the "RSA Keys by Reference" project. It will be part of the Nevada build 129. The CR was "6479874 OpenSSL should support RSA key by reference/hardware keystores". With this code, applications can access RSA keys stored in PKCS#11 tokens...[Read More]

There is a question having been asked from time to time. Is there a way for SSH to get rid of idle sessions? Usually, before such question is asked, server side keyword MaxStartups is consulted but quickly forgotten as an option that is to control something completely else. Then, ClientAliveInterval is checked with the same result. On the client side, ServerAliveInterval is hoped that it could help.[Read More]

A presentation written in July 2009, covering all major enhancements we integrated into SunSSH and with OpenSSL within a period of 01/2008-06/2009. The presentation slides are here.

Vladimir, who made most of the latest changes to the PKCS#11 engine we ship as part of OpenSSL in Solaris, wrote a presentation on the PKCS#11 internals. It's a very interesting read, and since I believe some of you who use the patch actually read the code and modified it (I got some feedback during the last few years), I hope it might be a very useful thing. See Vladimir's OpenSSL PKCS#11 engine TOI blog entry on that. We also plan to properly document the engine directly in the code so that people can understand how it works without reverse engineering the code. However, there is no ETA for that yet.

I didn't generate the patch for OpenSSL 0.9.8k. Given the few changes between 0.9.8j and 0.9.8k it is no suprise that you can apply the PKCS#11 engine patch for 0.9.8j on 0.9.8k.[Read More]

I resynced the ChrootDirectory option from OpenSSH to SunSSH, and pushed the change to the repository today. It wasn't a straightforward resync since we have different privilege separation code. I also found a few very minor issues in the OpenSSH code, and filed bugs with patches (1562, 1564, and 1566). [Read More]