bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL pserver, CVS

From: Brian Murphy
Subject: Re: SSL pserver, CVS
Date: Fri, 09 May 2003 23:19:41 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1 
Mark D. Baushke wrote:


If it is going to be done, I think it should probably be a command that
is issued on the existing port rather than reserving a separate port for
it. The client would issue a command like the "starttls" command used by
IMAP and POP3 and SMTP clients to request the server begin SASL
negotiations...

Indeed.


To be honest, I would rather that everyone just used SSHv2 as the
transport for CVS client/server. The cvs application is just not secure
as it stands and trying to hide this fact behind PAM and SASL will just
confuse people and give them a false sense of security...
SSH reduces security because it gives shell access to a restricted server - it 
allows write enabled cvs users to remove the repository - why take the risk?
Internally in our company I see this as a much greater risk than that of users 
passwords being sniffed. The next step is to encrypt the connection but the
first step is to remove users from having shell access to the server.

SSL/TLS - not SASL. That is encryption not authentication.
SASL is in principle similar to PAM, but in practice
it seems much more difficult to use. There are very much fewer programs
supporting SASL than PAM. I think I will investigate SASL at the same time
I look into SSL and really find out what it can do for me - perhaps it turns out 
to be a better solution than PAM.

/Brian
reply via email to
[Prev in Thread] Current Thread [Next in Thread]