[EMAIL PROTECTED] on 06/06/2000 12:08:27 AM
>[ On Monday, June 5, 2000 at 14:38:05 (-0400), Noel L Yap wrote: ]
>> Subject: SRP implementation in CVS
>>
>> Has anyone thought of implementing SRP in CVS? FYI, SRP stands for Secure
>> Remote Password.
>
>IN? That's not the way it works Noel! Keep the security gunk OUT of
>CVS! ;-)
CVS already has security stuff in it (ie pserver). Are you suggesting that
pserver be removed? If not, I was suggesting using the SRP protocol to make
pserver more secure.
>It should be used as a wrapper -- it would open the connection securely
>and would be used with CVS_RSH. It may already be useable, just like
>SSH is, if you can find someone who's already linked it into either the
>standard rsh/rlogin/rcp suite, or someone who's added it as a new
>authentication method for SSH itself. (Both ideas have been discussed
>on the SRP mailing list, but I'm not aware if anyone's actually done
>either or not.)
I'll investigate this design/implementation as well.
>> The protocol enables password authentication without sending
>> passwords through the wire either in plaintext or encrypted. I'm thinking
this
>> protocol, coupled with cookie (ie .cvspass) aging, would greatly increase the
>> security of pserver.
>
>No, it wouldn't, at least not without keeping the connection intiation,
>authentication, and authorisation completely separate from CVS itself.
At the very least, SRP would prevent MITM attacks. The current pserver
implementation does not.
.cvspass aging would help with the problem of attackers figuring out your
password and using it.
I understand your point of keeping CVS minimal. I'll see if the pserver
authentication can be changed in such a way as to use something outside of CVS.
I'll also look into using CVS_RSH to use SRP.
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
