[EMAIL PROTECTED] on 2000.07.17 15:22:05
>Is there some reason I shouldn't view this as a security hole? Without
>debating
>the lack of real security in pserver mode already, an open source client >such
as
>CVS's is so easily hackable that a sensitive system becomes even more
>insecure.
>User X can easily log in and make changes which will be logged as having >been
made
>by user Y.
This would only be possible if User X already had permissions into the
repository. Also, the way it stands now, CVS doesn't have any information as to
who really did the operation -- all it records is the username as it exists on
the server.
The basic philosophy of CVS is to trust the developers so, noone should be
hacking CVS to commit stuff as someone else.
>I can see using a trusted authentication system to set the variable, but >use
the
>CVS client???
Yes, I would much prefer this but I didn't have the resources to achieve it.
>I think even hacking SSH to do this is fairly insecure, as there is no way
>that
>I know of to verify that the SSH client is "pure" and it can only >authenticate
that
>key and user are valid on a server machine. Therefore, if an SSH client
>authenticates on the server as the generic user and sends a simple "my >name is
X"
>from a particular machine, there is no way to know that the user is really >X
on
>that machine. And that doesn't even take into consideration the nightmare >of
a
>user setting up a clean machine and adding any user ids to it that they'd >care
to
>and connecting from there. I imagine that if SSH servers could >authenticate
>against each other and verify their and their users identities something >might
be
>riggable. Is that possible as things stand?
This is one of the reasons why I decided to hack CVS instead of SSH. I figured
a security hole in a product not meant to be secure was better than one in a
product that was meant to be secure (even though the insecurity resides in the
fact that the software advertises that it knows something that it can't be sure
of).
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
