[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: need to force username of cvs 'action' when using shared SSH

From: Larry Jones
Subject: Re: Fw: need to force username of cvs 'action' when using shared SSH
Date: Tue, 4 May 2004 16:31:38 -0400 (EDT)

Keith Refson writes:
> I suspect this attitude may be born of an ignorance of how
> SSH works and what it is capable of.

On the contrary, I know quite well what SSH is capable of.  But people
do run CVS without using SSH, you know, and the environment is normally
under the control of the *user*.  Sure, if you happen to be running it
from a correctly-configured SSH you can control the environment (at
least partially), but CVS doesn't have any way to know whether it's
being run that way or not.  If it's not, then trusting the environment
would let anyone commit as anyone else without requiring any
authorization whatsoever.  You can complain that pserver's authorization
isn't very secure, but at least it exists.

-Larry Jones

I always send Grandma a thank-you note right away.  ...Ever since she
sent me that empty box with the sarcastic note saying she was just
checking to see if the Postal Service was still working. -- Calvin

reply via email to

[Prev in Thread] Current Thread [Next in Thread]