Thu Mar 23 06:31:49 2006 

BAD MSG:
users to do things such as transforming a server into a gateway. For
nstance, it is clearly specified that it is the local host (client)
that got a port forwarded, not that the server is to forward commands
or else.

     -L port:host:hostport
             Specifies that the given port on the local (client) host is to be
             forwarded to the given host and port on the remote side.  This
             works by allocating a socket to listen to port on the local side,
             and whenever a connection is made to this port, the connection is
             forwarded over the secure channel, and a connection is made to
             host port hostport from the remote machine.  Port forwardings can
             also be specified in the configuration file.  Only root can for-
             ward privileged ports.  IPv6 addresses can be specified with an
             alternative syntax: port/host/hostport.


So, to sum up:
    - I do not think port forwarding could lead to security breach
    - If even it was the case, I do not think content of the
    authorized_keys would do any good because what is checked is the
    command asked, "cvs server" 
    - I do not think it makes sense to rely on content of users ~/ to
    secure the systems. I'm a not saying users are entitled to a ~/
    modifiable directly (on gna, users have basically no way to modify
    content of their ~/ apart using the web frontend) but I doubt any
    well written software was design to permit being secured by
    setting content in a directory by default user writable.


>
>> > - SSH keys are recreated:
>> >
>> >   * if the user_name contains a comma (,) - I'll fix this after the
>> >     branch is merged, as promised some months ago
>> 
>> But if user_name contain a comma, there's a bug, as it is not
>> legitimate in a unix name, is it?
>
> *cough* If the _realname_ contains a comma (eg Thomas Bushnell, BSG).

That was my guess :)



-- 
Mathieu Roy

  +---------------------------------------------------------------------+
  | General Homepage:           http://yeupou.coleumes.org/             |
  | Computing Homepage:         http://alberich.coleumes.org/           |
  | Not a native english speaker:                                       |
  |     http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english  |
  +---------------------------------------------------------------------+

Reply via email to