[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fw: need to force username of cvs 'action' when using shared SSH account

From: Keith Refson
Subject: Fw: need to force username of cvs 'action' when using shared SSH account
Date: Wed, 05 May 2004 10:26:24 +0100
User-agent: Mozilla Thunderbird 0.5 (X11/20040229)

I'm making a great efford not to be sarcastic in this response.  There's
a genuine argument to be made here and I hope that there may be one or
two readers who can be convinced by reasonable debate. I'm not interested in just having an argument, but in making a case.

Greg Woods wrote:

I just cannot possibly ever even conceive of anyone using a "shared SSH

Since Jennifer Vesperman, the author of "Essential CVS", I and a few other posters obviously can conceive of such a thing I respectfully suggest this comment demonstrates a lack of imagination.

The very concept is entirely antithetical to the goals of SSH and
computing security in general.

With a shared SSH account you have a complete audit trail of who logged in when. No passwords are involved at all, even encrypted. This gives a far higher degree of security than passwords would. You have the ability to prevent users changing their environment to prevent subversion of any
restrictions you might want to place on the account. You have the
ability to specify *exactly* what command gets executed.  And you can
use this from an account running a restricted  shell (recommended for
applications like CVS which make no claims to implement a security model
-- please correct me if I am wrong about this).  If you have very high
security requirements you could even do  this from a CHROOTed

Please explain how any of these capabilities are "antithetical to the goals of SSH". Because I genuinely don't see how.

You may as well just use pserver in the clear and be very explicit and
forthright about your total lack of security.

[[ And yes, I do intend that comment to be very sarcastic. ]]

I still maintain and believe I have demonstrated that you can do better than that using a shared ssh mechanism. Perhaps it would be easier to
comprehend if we dropped the word "account" and its baggage of
associations from the discussion. Perhaps a better way of thinking about it is extablishing a public-key authentication mechanism to allow
precisely controlled access to a resource.

Keith Refson

reply via email to

[Prev in Thread] Current Thread [Next in Thread]