On Wed, Aug 09, 2000 at 05:36:32PM -0400, Greg A. Woods wrote:
> [ On Wednesday, August 9, 2000 at 14:32:47 (-0400), Justin Wells wrote: ]
> > Subject: Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)
> >
> > Is it as easy for a WinCVS user to set up ssh as it is to set up pserver?
>
> It should be -- if they don't already have SSH installed they're already
> long behind the game.
Hardly any of them have ssh installed already. Many of them never connect
to Unix systems other than mine. Those that do tend to use terminal
programs that have ssh compiled in but which are not suitable for
use with WinCVS.
> It's not really a WinCVS issue since it's a separate tool that's only
> called upon by CVS, which is called upon by WinCVS. In any case it's
> not "lots of extra software" -- it's one more program, and it's not very
> hard to configure either.
It's a bunch of command line crap that you have to do exactly right, and
the steps are non-obvious to Windows people (who ever heard of /usr/bin?).
Not exactly what Windows folk are used to.
This stuff needs to be build into WinCVS.
> NO, "We" did not go through a risk analysis, and I did not agree that
> every risk was acceptable given your costs and the apparent value of
> your project. In fact *I* did nothing of the sort.
You never came up with a risk that I hadn't already decided I could tolerate.
> Well first of all I've not gained a secure cvspserver -- that's an
> oxymoron, an impossibility.
You have a more secure pserver. One in which you can recover from an
attack after it happens. That's a hell of a lot better than the previous
pserver, where an attack leads to a root shell.
> However with SSH on a dedicated system you
> have something that cannot be attacked by an unauthorised user!
But authorized users get root shells. Great. Now you are making me, the
poor naive human, the weak link in the system. I don't like that. I'm
not a good judge of character.
> No, they couldn't -- there's still the issue of establishing identity
> and trust, and there's also that little matter of accountability that
> you seem to be so very good at forgetting. TANSTAAFL.
What accountability? This is the internet we're talking about, I don't
really know who these people are. So I know it was "John Smith" that
attacked me, assuming that really is his name. What do I do about it?
In the absence of a credible answer to the "what do I do about it"
question you need to be able to *recover* from the attack--accountability
is not quite as important, other than you need to know which password
to disable.
> Chroot buys you very little if you've done everything else you need to
> do and since it's "hard" to set up right it's usually much more secure
> to simply design a solution that doesn't require it!
Which you have failed to do because authenticated users get root shells
under your scheme and at that point it's game over. All you have to do
is make a single mistake when assessing prospective contributors and your
entire security scheme goes down in flames. Not good.
Justin
