Greg A. Woods [mailto:[EMAIL PROTECTED] wrote: > It would be much Much MUCH better to begin to deprecate any and all > support for "cvs" passwords than to give any further support to the > false illusion of any security someone might pretend to see in them. > > CVS pserver support is, just barely, safely usable _only_ for truly > anonymous access (which normally also means read-only access) > (and only > then when there's some underlying network integrity protection), > regardless of how your network works, which clients you use, etc. > > _ANYONE_ considering the use of some tool like CVS obviously > also needs > at least some degree of true security (i.e. authentication, > accountability, _and_ integrity) -- otherwise they're doing worse than > fooling themselves (they're fooling _everyone_ involved with > using their > repository). OK, I'm going to play dumb here (please, no accusations of "playing" :-). Why is this level of security so important? Exactly what are the security attacks you're concerned with?
Well, clearly pserver is not secure because the password is sent effectively in plain text, allowing anyone with a packet sniffer to retrieve CVS passwords. That's a big no-no on the security level. But this is well-documented in the Cederqvist - as I recall, it says something along the lines of "if you want real security, don't use pserver." Let's look at where pserver will probably be used. It will not (if the CVS admins have any sense) be used on repositories that are accessible from "outsiders" (the Big Bad Internet, for example). Network access to the server will be restricted. This divides the attackers into two categories: the insiders and the outsiders. We can pretty much discount the outsiders - they'll have to hack through firewalls, etc. to get in, and are more likely to find other servers much more interesting than CVS. Unless you think that I'm underestimating the mindset of corporate raiders, who might actually do this kind of hacking to get at a competitor's intellectual property. For the insiders, again there's a limit to how much the attacker can do. Most users only want to know enough to run the basic checkin/checkout commands. Unless they have direct access to the repository, there is very little damage they can do that cannot be fairly easily undone. For the knowledgeable user who knows how to inflict real damage on the repository, *and* who has the desire to inflict such damage, moving to a more secure protocol like kerberos will probably slow them down, but will not, in the end, stop them from harming the repository. To paraphrase the well-known saying, pserver is there to keep honest people honest. I can envision a wide range of theoretical attacks that someone _could_ do. But who would actually _do_ those attacks? So, where am I deluding myself? > I.e. please do not pretend you can gain anything by pretending to make > the CVSROOT/passwd file harder to mess with. That's a good point - as Bruce Schneier, author of "Applied Cryptography" and a computer security expert, is fond of saying: Security is only as good as its weakest link. For pserver, access to the passwd file is not the weakest link by any means. Moving the file to a different location will not significantly improve its inherent insecurity. -- Jim Hyslop Senior Software Designer Leitch Technology International Inc. (<http://www.leitch.com/>) Columnist, C/C++ Users Journal (<http://www.cuj.com/experts>) _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
