[EMAIL PROTECTED] on 06/06/2000 12:38:43 PM
>[ On Tuesday, June 6, 2000 at 08:48:09 (-0400), Noel L Yap wrote: ]
>> Subject: Re: SRP implementation in CVS
>>
>> CVS already has security stuff in it (ie pserver). Are you suggesting that
>> pserver be removed?
>
>Yes, absolutely! I've been saying cvs-pserver should be ripped out over
>and over again for so long that I'm sure many readers in this group
>think I'm a broken record! ;-)
On one hand I'd like to keep CVS minimal. OTOH, I'd like to minimize the
involvement of sysadmins. Perhaps SSH or a cvs wrapper /is/ solution to both
problems (eg have read-only users SSH into one read-only CVS account in which
they can only do "cvs server" or have something else do the authentication).
I'm not completely convinced yet; I'll have to analyze it a bit more.
>> If not, I was suggesting using the SRP protocol to make
>> pserver more secure.
>> At the very least, SRP would prevent MITM attacks. The current pserver
>> implementation does not.
>
>Not 100% -- at least not without adding secure session encryption too
>(TCP sessions are far from 100% secure in their raw form). It didn't
>seem that this was part of your proposal, though you may very well have
>intended it to be.
Yes, I should've been more specific as to what part of CVS would be affected.
To clarify the proposal, "cvs login" would be changed to use the SRP protocol.
I'm starting to think this would bloat CVS since it would introduce some
encryption algorithms.
Also, from what I've read of SRP, it does prevent MITM attacks even though the
protocol doesn't encrypt what goes on the wire. In the end, the user and host
share a common session key but anyone eavesdropping can't derive that session
key nor will they ever catch the key since it's never transmitted.
>> .cvspass aging would help with the problem of attackers figuring out your
>> password and using it.
>
>True, but I think that's a separate issue.
Yes, this is a separate issue. It would involve, though, better "encryption" of
the password than what exists now.
>> I understand your point of keeping CVS minimal. I'll see if the pserver
>> authentication can be changed in such a way as to use something outside of
CVS.
>> I'll also look into using CVS_RSH to use SRP.
>
>I did a few more searches too and as yet I've not found anyone who
>claims to have actually integrated SRP into rsh et al -- just
>discussions that suggest it is possible, and perhaps "easy".
I've seen telnet implementations that use it and one site (duke) that uses a
Java telnet applet using SRP.
>I've been kind of ignoring SRP in favour of SSH for general use because
>I've been too lazy to find the time to do do the integration myself.
I might fall into the same bucket ;) But since I have some time on my hands
right now, I'm doing some research.
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
