2008/525 ikeadm token login
Dan McDonald
danmcd at sun.com
Fri Aug 15 10:52:24 PDT 2008
On Fri, Aug 15, 2008 at 01:45:47PM -0400, James Carlson wrote:
> The fact that nobody will be able to provide a clear set of "how to
> use this stuff" directions should give the project team some pause
> about tightening security in this way. A recipe would have to say
> something like this in the middle:
>
> "If you are running Solaris 10 and have patch 999998-01
> [SPARC] or 999999-01 [x86] installed, then you need to include
> '-p' on the following command line, so that the unattended
> service will start up correctly at boot time. If you don't
> have that patch installed, then '-p' isn't recognized, and
> unattended operation will be the default ...."
>
> Poor user.
The frequency of new-key generation (typically measured in once-per-N-years,
for 1 <= N <= 4) is such that the above paragraph will not apply often.
Maybe that's why you're worried --> it's so infrequent that people will not
think to look at the release notes.
I guess the big question for patch-binding is whether or not customers are
going to be banging down our door for this added security. Perhaps a ping to
some sun-internal customer-contacting aliases (you know the ones I mean)
would be in order?
Dan
More information about the opensolaris-arc
mailing list