Re: ANN: cvssh - secure ext-to-pserver bridge

[Paul Sander]

>--- Forwarded mail from Greg Woods

>> 2. Using SSH requires giving the users a unix account on
>>    the server, rather than pserver's per-repository user
>>    list.

>Duh.  If you're doing authentication and authorisation on a unix-based
>file server then you MUST, _M_U_S_T_ use a unique system account for
>ever real-world user or else you might as well not use any
>authentication whatsoever.  Pserver has NO accountability from the
>system's point of view.  None whatsoever.  Don't use pserver.  Ever.

What I don't understand is why it's necessary to give people accounts on a
system in order to permit them to store data on them.  Take database servers,
for example, which rely on the applications to authenticate and pass along
the identity of users to be recorded faithfully by the engine.  The trick
there is the make sure that the connection to the client is secure, but you
don't need individual user accounts for that.

While I agree that on MY systems I really do want to record the user IDs
of real users with my data, but I can think of several reasons to keep an
application-specific user database that's separate from the operating
system's and keep a very small user database to provide tighter control
over access to the actual machine.

>--- End of forwarded message from address@hidden