[ On Wednesday, August 9, 2000 at 14:32:47 (-0400), Justin Wells wrote: ]
> Subject: Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)
>
> Is it as easy for a WinCVS user to set up ssh as it is to set up pserver?
It should be -- if they don't already have SSH installed they're already
long behind the game.
> The answer is still NO. You have to install lots of extra software in
> very specific ways and set up some weirdly configured stuff. Talk to me
> again when the configuration is built into WinCVS.
It's not really a WinCVS issue since it's a separate tool that's only
called upon by CVS, which is called upon by WinCVS. In any case it's
not "lots of extra software" -- it's one more program, and it's not very
hard to configure either.
In any case it's not a question of "easy", but rather one of doing the
right and necessary things. It's easier to simply not do anything.
It's easier to avoid authentication in the first place. It would be
easier for for me not to try to do the ethical thing and simply ignore
the problems you cause yourself and others.
> So you say, but under careful analysis your position doesn't hold up. We
> went through every risk I might possibly face and I showed you in every case
> that the risk was acceptable. I'm sure there are other people in the same
> situation as I am.
NO, "We" did not go through a risk analysis, and I did not agree that
every risk was acceptable given your costs and the apparent value of
your project. In fact *I* did nothing of the sort.
> > However if I
> > were to solicit services from more anonymous volunteers I would move
> > that server onto a machine where I would not risk things that I could
> > not trust such volunteers to avoid messing with. Other than that though
> > I'd still require SSH for commit access and I'd still do independent
> > mechanical audits of all changes.
>
> But, in that case, what have you gained beyond a secure pserver?
Well first of all I've not gained a secure cvspserver -- that's an
oxymoron, an impossibility. However with SSH on a dedicated system you
have something that cannot be attacked by an unauthorised user!
> An
> attacker can get an account easily enough just for asking, so they really
> don't need to attack the transport layer to discover passwords.
No, they couldn't -- there's still the issue of establishing identity
and trust, and there's also that little matter of accountability that
you seem to be so very good at forgetting. TANSTAAFL.
> Sure, you could chroot your ssh setup too.. but you have always argued
> vigorously against using chroot.
Chroot buys you very little if you've done everything else you need to
do and since it's "hard" to set up right it's usually much more secure
to simply design a solution that doesn't require it!
> If I move to ssh, I will definately still be using chroot. Even on a
> box where there's nothing else important there is no justification for
> giving away full fledged shells to people who don't need them.
If you think that's necessary then you probably haven't included
integrity checks and accountability in your equation.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
