Re: Proposal: have client CVS send remote username to server CVS

[Noel L Yap]

[EMAIL PROTECTED] on 2000.07.18 15:36:53
>>>>>> "NLY" == Noel L Yap <[EMAIL PROTECTED]> writes:
>
>>> connection/keys/whatever it is using the proper private key (in
>>> other >words, a private key with a corresponding & appropriate
>>> public key already known to >the server).
>
>NLY> No, this doesn't guarantee it.  For example, if the OpenSSH
>NLY> client sent this info over the server, I can build OpenSSH in
>NLY> such a way that it will always send the wrong info over.  I'll
>NLY> still have proper keys and everything, but the username info will
>NLY> have been spoofed.
>
>If OpenSSH client will always send wrong info (I mean username and
>password here), then cvs-server will never authenticate it ;)

I think we're arguing different points here.  My point is that the OpenSSH
client can send over a valid CVS username and password.  It's just that the
username/password doesn't belong to the client.  IOW, it doesn't protect against
non-repudiation.

Noel



This communication is for informational purposes only.  It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.