Re: cvs-nserver and latest CVS advisory

[Justin Wells]

On Fri, Aug 11, 2000 at 08:35:03AM -0400, Noel L Yap wrote:

> I see.  So the conversation might go something like:
> Client: Hey, why was my user id shut down?
> You: Oh, your user id was used for some hacking.
> Client: It wasn't me.  I was framed.
> You: Oh, OK, I'll give you a new user id.

Yes. And then watch them carefully after that. And if I suffer repeated 
attacks of this kind I guess I'd have to do something at that point, like
maybe switch to ssh. But I'm not going to raise any barriers to development
until I have to.

Another approach is to have inetd log the IPs of each connection. That's
also spoofable, but it raises the bar again.

> Now, considering that you're assuming you don't even know who "Client" is and
> even if they are who they say they are, how are you then sure that they are
> telling the truth in the above conversation?

I don't. I use my limited judge of human character to decide what to do. 

Justin