Re: PAM authentication patch

bug-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM authentication patch - v2

From:	Mark D. Baushke
Subject:	Re: PAM authentication patch - v2
Date:	Wed, 16 Apr 2003 00:54:05 -0700

Brian Murphy <brian@murphy.dk> writes:

> Mark D. Baushke wrote:
> 
> >I doubt I can convince you of how evil it is to send passwords in the
> >clear for your :pserver: connections to cvs. I just shudder to think of
> >folks seeing that cvs support PAM and thinking for some reason that it
> >is not leaking their passwords in a large number of ways.
> >
> >
> PAM also works with telnet. I don't think anyone thinks a PAM enabled login
> via telnet is any more secure than an ordinary passwd based login.

Some telnet versions allow for encryption either using SSL or are
GSSAPI-based.

In addition, there are many security pages documenting the 'evils' of
using telnet and suggesting that all right-minded people move to a
secure remote connection mechanism of some kind.

It should also be noted that folks have spend a bit of effort trying to
remove security flaws from telnet and telnetd and that a similar such
effort has not been contemplated for cvs which is inherently NOT secure.

        -- Mark

[Prev in Thread]

Current Thread

[Next in Thread]

Re: PAM authentication patch - v2, (continued)

Prev by Date: Re: PAM authentication patch - v2
Next by Date: Pin # 6891, Account Pending for address@hidden
Previous by thread: Re: PAM authentication patch - v2
Next by thread: Re: PAM authentication patch - v2
Index(es):
- Date
- Thread