info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS & SSL


From: Greg A. Woods
Subject: Re: CVS & SSL
Date: Wed, 23 May 2001 14:20:08 -0400 (EDT)

[ On Wednesday, May 23, 2001 at 10:30:22 (-0400), Derek R. Price wrote: ]
> Subject: Re: CVS & SSL
>
> Yes there is.  The connection can no longer be sniffed.  Stealing a
> user's password would now require access to the user's machine to read
> the .cvspass file.

Maybe you forget that most security issues come from within.  I don't
know how hard it would be to break but I suspect your connections are
all protected by the very same key (after all you only have one real
identity at the server side and you've got to negotiate the secure
connection *before* anything inside CVS can be used to identify the fake
identity).

> Because this works without setting up a permanent tunnel.  That's one
> less step of overhead involved in connecting.  Your typical user
> doesn't want to worry about establishing a tunnel.  They want their
> client to connect.

You don't have to set up a permanent tunnel, but a session tunnel
(started when the user first boots his client, or whatever) is certainly
more efficient than setting up a secure connection per CVS invocation.

> Hacks are always unecessary.  This one happens to be somewhat useful,
> simple, and fits tidily in with the existing code.

hmmm...  I'd rather see pserver ripped out entirely.  It's not even
necessary for anonymous access.  What a waste of effort......

>  Besides, the pserver operation can now be tested locally (except for
> the tcp code, which wasn't being tested anyhow) by shoving 'cvs
> --allow-root=... pserver' in as the "socket provider".  I have my
> entire sanity.sh script running that way with only a few
> modifications.  This is also useful.

You're running your builds and sanity.sh as root?  What a major major
mistake that is!  You're probably wide open to remote root-level hacks!
(they're just not directly obvious, and a bit harder to hide from
audits)

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <address@hidden>     <address@hidden>
Planix, Inc. <address@hidden>;   Secrets of the Weird <address@hidden>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]