[ On Tuesday, June 6, 2000 at 08:48:09 (-0400), Noel L Yap wrote: ]
> Subject: Re: SRP implementation in CVS
>
> CVS already has security stuff in it (ie pserver). Are you suggesting that
> pserver be removed?
Yes, absolutely! I've been saying cvs-pserver should be ripped out over
and over again for so long that I'm sure many readers in this group
think I'm a broken record! ;-)
> If not, I was suggesting using the SRP protocol to make
> pserver more secure.
> At the very least, SRP would prevent MITM attacks. The current pserver
> implementation does not.
Not 100% -- at least not without adding secure session encryption too
(TCP sessions are far from 100% secure in their raw form). It didn't
seem that this was part of your proposal, though you may very well have
intended it to be.
> .cvspass aging would help with the problem of attackers figuring out your
> password and using it.
True, but I think that's a separate issue.
> I understand your point of keeping CVS minimal. I'll see if the pserver
> authentication can be changed in such a way as to use something outside of CVS.
> I'll also look into using CVS_RSH to use SRP.
I did a few more searches too and as yet I've not found anyone who
claims to have actually integrated SRP into rsh et al -- just
discussions that suggest it is possible, and perhaps "easy".
I've been kind of ignoring SRP in favour of SSH for general use because
I've been too lazy to find the time to do do the integration myself.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
