On Fri, Aug 11, 2000 at 01:38:52AM -0400, Greg A. Woods wrote:
> What's wrong with that is that you still have almost zero
> accountability. Under cvspserver anyone can be anyone with only a very
> few tricks up their sleeves. That simply cannot possibly ever happen
> with SSH.
Wrong again. When pserver is authenticating with real Unix uid's there is
no way for someone to fool CVS into changing their UID. CVS can't do it.
> > > But the real culprit gets away. This wouldn't happen with SSH.
> >
> > The culprit gets away no matter what. There's nothing I can do to
> > them even if I find out which email address is really associated
> > with the attack.
>
> No, with SSH the culprit cannot "get away". You've got a finger
> pointing right at them, and a mound of evidence to show what they did,
> when, and how. I.e. you have a counter-threat, and possibly one that's
> far more powerful than the threat they posed to you earlier.
OK, so I know that "[EMAIL PROTECTED]" has broken into my box. Do I
know that this person is really you? Or are they someone pretending to
be you? And what do I do about it?
Since the answer is I have no idea who they are and there's not a damn
thing I can do about it I don't see your point at all.
All I know is which password to disable. And I knew that with the pserver
solution as well. So what's the difference?
Justin
