this is really the summation of a lot of things about Bonjour that
have been hitherto pent up, so here we go
1. having done a strait build of mDNSResponder from xcode and then
going into mDNSPosix and using the makefile I have created
mDNSNetMonitor, however when I try to run it I get: mDNSNetMonitor:
mDNSNetMonitor failed -65537
thoughts?
Please check out the latest version from Darwin CVS. It should work
better than 107.1.
2. Why can't I uncheck the Bonjour tab in Directory Access?
We found that people were unchecking the Bonjour box in Directory
Access and then wondering why machines weren't showing up under /
Network. We also found that people were confusing what this checkbox
did. Most people think this check box disables Bonjour system-wide,
but in reality it only disables Bonjour from being used by Directory
Services. All other applications like iTunes, iChat, Printing,
Safari will continue to use Bonjour when this checkbox is unchecked.
In the spirit of Zero Configuration, we decided to remove one more
configuration option.
and is it what is causing me to advertise _workstation._tcp?
Yes, this happens to be the thing advertising _workstation.
(the subquestion being that even though I have all ports turned off
and firewall set to drop packets, people can still easily OS
fingerprint me as being Mac OS X unless I turn off mDNSResponder
all the way...doesn't this sort of defeat the point of those new
security mechanisms in 10.4? Doesn't this mean that it will be darn
easy to find machines to exploit when) This is just generally along
the lines that I think I should be able to have my machine "run
network silent" if I want, and Bonjour is actively making that hard...
Please file a bug report requesting a way to turn of _workstation
advertising and we'll think about this issue.
I haven't tested this, but you can probably turn off _workstation
advertising by removing the Directory Service Bonjour plugin. Just
delete the folder "Bonjour.dsplug" inside...
3. What if I don't want my machine to advertise that I'm running
SSH via Bonjour? Can I disable it?
Yes, in Tiger you can edit the launchd plist for SSH. Just edit the
file "ssh.plist" located inside...
/System/Library/LaunchDaemons/
Remove the "Bonjour" key and corresponding array from this file. You
can also disable SSH advertising in Panther, but it's done differently.
Not only that, but when I have mDNSResponder unloaded and ssh
enabled, I can see from verbose startup that it is trying to
advertise ssh and failing...thus making it take about 20+ seconds
more to get to the login screen.
This is a bug that's improved with the latest version of
mDNSResponder in CVS. The delay in Tiger is currently 10 seconds,
but the version in CVS has it lowered to 4 seconds. Unfortunately
you can't just build a new version of mDNSResponder because the delay
is inside the client library which on Mac OS X lives in LibInfo.
We have a plan to eliminate this delay entirely in the future.
(privacy) 4. I realize Bonjour is all about ease of use...but
couldn't a better default name be found than "Firstname Lastname's
Computer"?
It's not easy to choose a default name that uniquely identifies the
machine and enables you to recognize your own machine(s) in a list.
If you have any suggestions, we'd be happy to listen.
This may not seem like a big deal, but here at CMU they have the
wireless bridged in the backend and consequently I can see about
400 _workstation people at any given time, and a good 60-70% of
them are still using the default name...privacy problems become
security problems when I can see a professor's computer, I can see
he's running afp and ftp(plaintext passwords) and by the nature of
wireless I can simply sit and wait for someone to connect to his
machine and log in...I know that this would still be the case if I
took traditional attack steps to determine the information, but the
point is that you're making targeted attacks much easier by setting
it so that people are shouting their real names which are
associated with their machines... I don't expect you to eliminate
or prevent people from using their real names in their computer
names, I'm just saying that making it the default seems like a bad
idea, and I'm wondering if Apple has every looked at this decision
from a privacy perspective rather than just a security perspective?
All these services (AFP, FTP, SSH...) are off by default, and anytime
you turn these on, you risk someone gaining access to your machine,
which is why it's important to have a strong password and to avoid
protocols that use clear-text passwords. For the people that are
concerned about privacy, they can change their Computer Name to
something else. I realize that not everyone knows they can change
their Computer Name, so maybe this is something we can improve. For
example, the old Setup Assistant on Mac OS 9 had a screen that asked
you to choose your Computer Name. We removed that screen in the Mac
OS X version to simply setup, but maybe we could bring it back.
Please file a bug report regarding your concern and we'll consider
some possibilities.
Best Regards,
-Marc
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Bonjour-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/bonjour-dev/email@hidden
