|
| From: | Jes煤s M. NAVARRO |
| Subject: | Re: ANN: cvssh - secure ext-to-pserver bridge |
| Date: | Mon, 11 Mar 2002 14:19:19 +0100 |
| User-agent: | Mozilla/5.0 (X11; U; Linux i586; en-US; rv:0.9.8) Gecko/20020307 |
Hi, David: David A. Desrosiers wrote:
Duh. If you're doing authentication and authorisation on a unix-based file server then you MUST, _M_U_S_T_ use a unique system account for ever real-world user or else you might as well not use any authentication whatsoever. Pserver has NO accountability from the system's point of view. None whatsoever. Don't use pserver. Ever.
[...]
Also, giving a user a shell, even chrooted, or blocked from the ability to log in, consumes much more process and resources on the box, and definately scales linearly, and is open to much more exploitable holes than what pserver provides. The risk of sniffing the password is nil using pserver, since obtaining it gives the "cracker" exactly nothing. Are they going to commit code on our behalf? Unlikely. Delete a tag? We can roll back out. It's all negligable.
Not to tell you are not putting some sensible insigths here, but what you're telling is your code is not a valuable asset: They can checkin, but they can check out too and steal your code (wasn't told somebody in Russia did this with Win2000 code?). Well, if you don't mind someone else having access to your code you could release it open sourced, don't you?
-- SALUD, Jesus *** address@hidden ***Desde Zaragoza, busco empleo - http://www.geocities.com/jesusm_navarro/CV/cv.html
***
| [Prev in Thread] | Current Thread | [Next in Thread] |