[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: need to force username of cvs 'action' when using shared SSH acc

From: Greg A. Woods
Subject: Re: Fw: need to force username of cvs 'action' when using shared SSH account
Date: Wed, 5 May 2004 16:33:18 -0400 (EDT)

[ On Wednesday, May 5, 2004 at 10:26:24 (+0100), Keith Refson wrote: ]
> Subject: Fw: need to force username of cvs 'action' when using shared SSH 
> account
> I'm making a great efford not to be sarcastic in this response.  There's
> a genuine argument to be made here and I hope that there may be one or
> two readers who can be convinced by reasonable debate. I'm not 
> interested in just having an argument, but in making a case.

There is no "genuine argument" here whatsoever.

There is only very serious and fundamental mis-understanding of the
basic premises surrounding computing security.

> Greg Woods wrote:
> > I just cannot possibly ever even conceive of anyone using a "shared SSH
> > account".
> Since Jennifer Vesperman, the author of "Essential CVS",  I and a few 
> other posters obviously can conceive of such a thing

Then y'all apparently don't realize that what you're trying to
accomplish simply cannot ever possibly be done in the way you've
proposed it.

> I respectfully 
> suggest this comment demonstrates a lack of imagination.

Until and unless you pay attention to the very basic requirements of
computing security then you're only living in your own imagination and
what you believe to be true has no foundation in the real world
whatsoever.  I.e. you have no ground to stand on.

> With a shared SSH account you have a complete audit trail of who logged 
> in when.

NO, you most definitely DO NOT.

That's the very nature of the word "shared" here.

In order to have accountability in any computing system there must be a
unique internal identifier (username) for every human user.

In order to have integrity of audit trails these identifiers _must_ be
unique at the OS level.  That means having separate SSH accounts for
every individual human user (as well as of course having strong
identification and authentication mechanisms).

So, until you get these basics done right all you've got is a big
steaming stinking pile of unnecessary complexity and a false sense of
security where there is NONE whatsoever.

If you don't fully understand and work within the basic security model
of the host OS you're running your applications on then you're never
really going to get anywhere useful in terms of your security

> Please explain how any of these capabilities are "antithetical to the 
> goals of SSH".  Because I genuinely don't see how.

SSH is designed to facilitate secure access to a multi-user
POSIX-compatible system in a way that works with the security model
provided by such a system.  However if it is not used in a secure manner
then it provides no real security whatsoever.

> > You may as well just use pserver in the clear and be very explicit and
> > forthright about your total lack of security.
> I still maintain and believe I have demonstrated that you can do better 
> than that using a shared ssh mechanism.

No, you most certainly cannot ever do any better than pserver with
anything using a shared account and you are only fooling yourself (and
those you've convinved to listen to you) if you think otherwise.

You are continuing to ignore or misunderstand the underlying OS security
model here, and you are still trying to misuse it.

                                                Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <address@hidden>
Planix, Inc. <address@hidden>          Secrets of the Weird <address@hidden>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]