[ On Monday, June 5, 2000 at 14:38:05 (-0400), Noel L Yap wrote: ]
> Subject: SRP implementation in CVS
>
> Has anyone thought of implementing SRP in CVS? FYI, SRP stands for Secure
> Remote Password.
IN? That's not the way it works Noel! Keep the security gunk OUT of
CVS! ;-)
It should be used as a wrapper -- it would open the connection securely
and would be used with CVS_RSH. It may already be useable, just like
SSH is, if you can find someone who's already linked it into either the
standard rsh/rlogin/rcp suite, or someone who's added it as a new
authentication method for SSH itself. (Both ideas have been discussed
on the SRP mailing list, but I'm not aware if anyone's actually done
either or not.)
> The protocol enables password authentication without sending
> passwords through the wire either in plaintext or encrypted. I'm thinking this
> protocol, coupled with cookie (ie .cvspass) aging, would greatly increase the
> security of pserver.
No, it wouldn't, at least not without keeping the connection intiation,
authentication, and authorisation completely separate from CVS itself.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>