On Wed, Aug 09, 2000 at 04:38:46PM -0400, Noel L Yap wrote:
> In a good SSH setup, how do untrusted people authenticate themselves
> as trusted?
They lie to me and I give them a password. Next they attack.
> With pserver, it's really easy, just steal the .cvspasswd file.
That's actually pretty tough to do. You have to have access to the client
machine, and likely you don't. The real risk is you could sit at my ISP
sniffing all the traffic that goes by looking specifically for CVS
passwords. They're sent "scrambled", but by a well known algorithm so
you can trivially descramble them--might as well have been sent clear.
This attack pretty much guarantees that if you run pserver and an attacker
with access to your upstream bandwidth targets you, they can gain access as
an ordinary user to your pserver. Since CVS is so insecure, they get a
shell shortly after that.
My main defense at this point is that because I've chrooted them, there's
not a whole lot they can do with that shell except mess with the repository.
I detect the changes to the repository, invalidate all the passwords, and
recover the repository. If they continue attacking me I have to move my
server to different bandwidth and/or switch to ssh security until they
go away.
So yes, there are serious and real problems with pserver. The only thing
that Greg and I differ over is whether or not we're willing to live with
the risk.
I am willing to live with it. If it happens, I may be forced to switch
to ssh by an ongoing attack--but I'm not going to cause all my clients to
jump through hoops over attacks that will probably never happen, and won't
really do very much damage if they do happen.
In other words I'm an optomist and greg is a pessimist. I view something
as "secure enough" if you can live with the consequences of an attack. He
views something as "secure enough" only if an attack is not possible
at all and doesn't place any value on your ability to recover from it.
I guess it boils down to whether you think "I can recover from it" is a
valuable part of a systems security or not.
> What problems have you encountered with regards to SSH?
I ran it for six months and none or few of my WinCVS clients got it working.
Now some documentation has been posted explaining how to do it, but I can
see that it's a fairly painful installation. Hopefully that will change soon
and I can really use the ssh solution.
Greg insists that I make my clients all suffer through hell today in order
to have a better tommorow. I don't believe in making people suffer unless
or until they really have to.
For unix-unix CVS archives I've never had a problem with SSH--works great.
The issue is Windows and Mac users. Since my application is Java, I actually
have a substantial number of those people, and they have higher standards
than unix folks when it comes to ease-of-use of tools.
Justin
