[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Linux security issues as they pertain to CVS
From: |
Derek R. Price |
Subject: |
Re: Linux security issues as they pertain to CVS |
Date: |
Wed, 30 May 2001 09:23:20 -0400 |
"Greg A. Woods" wrote:
> [ On Tuesday, May 29, 2001 at 09:18:33 (-0500), Thornley, David wrote: ]
> > Subject: RE: Linux security issues as they pertain to CVS
> >
> > Any problems with running pserver over an encrypted channel? It seems to
> > met that would be just as secure as ssh access (and, of course, just as
> > unsafe - the biggest potential security problems being the guys on both
> > ends of the channel).
>
> That more or less defeats the purpose since you usually have to have a
> real identity to establish a secure channel connection to a server in
> the first place so why not just use that channel for remote job
> execution? (unless you're talking about an IPsec VPN tunnel, but then
> you've got different issues to worry about)
No you don't. A secure channel only need authenticate the server, possibly
using an external certificate authority, a la HTTPS.
> CVS pserver on the other hand is under the full and direct control of
> the (or rather *any*) user at the other end so you cannot transfer your
> trust to the client CVS program and you cannot be sure that the person
> at the remote keyboard really is the same "joe" -- there's no secure
> link between the authentication done by the remote client computer to
> allow that user to access it and whatever might be claimed over the
> pserver channel. Therefore pserver even over a secure channel is not
> itself secure.
Which is perfectly fine and possibly even desirable when you, as CVS
administrator, have no control over the client machine anyhow. If I have root
access on the client I could use any login I wished anyhow. In other words,
you'd rather know I knew the password you gave me.
In this case the secure channel should protect you from password sniffers.
Derek
--
Derek Price CVS Solutions Architect ( http://CVSHome.org )
mailto:address@hidden CollabNet ( http://collab.net )
--
Cynic: Someone who smells the flowers and looks for the casket
RE: Linux security issues as they pertain to CVS, Thornley, David, 2001/05/29
Re: Linux security issues as they pertain to CVS, Ralph Mack, 2001/05/31