[EMAIL PROTECTED] on 2000.08.09 20:05:32
>On Wed, Aug 09, 2000 at 04:38:46PM -0400, Noel L Yap wrote:
>> In a good SSH setup, how do untrusted people authenticate themselves
>> as trusted?
>
>They lie to me and I give them a password. Next they attack.
Uhuh. And how do you do manage identification with pserver? (Also, IMHO, the
clients should generate the key pair (what password are you talking about?) and
give you the public key).
>> With pserver, it's really easy, just steal the .cvspasswd file.
>
>That's actually pretty tough to do. You have to have access to the client
>machine, and likely you don't. The real risk is you could sit at my ISP
>sniffing all the traffic that goes by looking specifically for CVS
>passwords. They're sent "scrambled", but by a well known algorithm so
>you can trivially descramble them--might as well have been sent clear.
So you're saying that it's easier to crack into your server than to crack into
the client servers? Keep in mind that there are way more clients that can
potentially be insecure than your CVS server.
>This attack pretty much guarantees that if you run pserver and an attacker
>with access to your upstream bandwidth targets you, they can gain access as
>an ordinary user to your pserver. Since CVS is so insecure, they get a
>shell shortly after that.
OK.
>My main defense at this point is that because I've chrooted them, there's
>not a whole lot they can do with that shell except mess with the repository.
>I detect the changes to the repository, invalidate all the passwords, and
>recover the repository. If they continue attacking me I have to move my
>server to different bandwidth and/or switch to ssh security until they
>go away.
So you already keep a separate copy of the repository and you already perform
audits.
>In other words I'm an optimist [sic] and greg is a pessimist. I view something
>as "secure enough" if you can live with the consequences of an attack. He
>views something as "secure enough" only if an attack is not possible
>at all and doesn't place any value on your ability to recover from it.
I think Greg knows no system is impenetrable.
>> What problems have you encountered with regards to SSH?
>
>I ran it for six months and none or few of my WinCVS clients got it working.
>Now some documentation has been posted explaining how to do it, but I can
>see that it's a fairly painful installation. Hopefully that will change soon
>and I can really use the ssh solution.
>
>Greg insists that I make my clients all suffer through hell today in order
>to have a better tommorow. I don't believe in making people suffer unless
>or until they really have to.
>
>For unix-unix CVS archives I've never had a problem with SSH--works great.
>The issue is Windows and Mac users. Since my application is Java, I actually
>have a substantial number of those people, and they have higher standards
>than unix folks when it comes to ease-of-use of tools.
Well, the solution seems simple to me. Use your pserver patch (you understand
the risks to yourself, your clients should also understand the risks), but don't
expect it to become part of standard CVS.
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
