[EMAIL PROTECTED] on 2000.08.09 14:41:15
>On Wed, Aug 09, 2000 at 02:12:50PM -0400, Greg A. Woods wrote:
>> [ On Wednesday, August 9, 2000 at 11:51:34 (-0400), Justin Wells wrote: ]
>> If you grant trust to an untrustworthy party then that's got nothing to
>> do with SSH or CVS!
>
>That's your professional software shop training wheels speaking. In the
>real world I don't really know these people all that well and I do have
>to prepare for the very real possibility that I might be fooled into
>granting access to an untrustworthy person.
Here's a summary of contributed solutions:
1. Don't use CVS.
2. Don't let untrusted people touch the real repository. Audit all changes made
to the mirror repository.
>If that doesn't fit into your pretty little security analysis worldview
>tough--it's a real, practical, actual problem that I face.
So are the solutions given so far.
>When viewed this way my pserver setup is FAR more secure than your ssh
>setup, because my setup limits the risk I face when someone fools me
>into authorizing their access even though they prove to be untrustworthy.
In a good SSH setup, how do untrusted people authenticate themselves as trusted?
With pserver, it's really easy, just steal the .cvspasswd file.
>Your schemes inability to cope with this ugly property of real life is
>one of the biggest nails in its coffin.
What problems have you encountered with regards to SSH? I've only encountered
one problem and it's outside the SSH scope (my sysadmin and I disagree on which
version of SSH to use). There's a bunch of solutions:
1. Use different ports for the different SSH daemons.
2. Use OpenSSH that supports both SSH1 and SSH2.
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
