* Dimitri Maziuk [EMAIL PROTECTED] [2001.11.29 16:16:48-0600]:
You are still missing the point. Hopefully, you've read my post by
now, but I'll reiterate.
CVS documentation states that pserver plus write access to CVS
repository can be subverted to execute arbitrary code on the
server. The
On Thu, Nov 29, 2001 at 04:09:53AM +0100, martin f krafft wrote:
* Dimitri Maziuk [EMAIL PROTECTED] [2001.11.28 10:44:02-0600]:
Bull. Give me one reason why it sucks. It's the way of giving them
anonymous cvs access without too much hassle. Or do you believe
that
On Thu, Nov 29, 2001 at 09:47:17AM -0600, Dave Sherohman wrote:
| On Thu, Nov 29, 2001 at 04:09:53AM +0100, martin f krafft wrote:
| Yes, and you also have one to one key-user map, so the setup is not
| anonymous. Which may not be a good thing.
|
| so then give me a way to figure out
* Dave Sherohman [EMAIL PROTECTED] [2001.11.29 09:47:17-0600]:
...all of which is not a detriment to a key which is being used to
establish _anonymous_ access. If it was intended for authenticated
access by a trusted user or users, then you're absolutely correct.
Dmitri, however, is
* dman ([EMAIL PROTECTED]) spake thusly:
...
What is insecure about pserver, if you have anonymous access?
To quote TFCVSM, once a user has non-read-only access to
repository, she can execute programs on the server system
through a variety of means. Read section 2.9.3.3 --
Security
* martin f krafft ([EMAIL PROTECTED]) spake thusly:
...
okay, so potentially *everyone* has access to the data, the you may
just as well run pserver as nobody, since you only give out read-only
access... why the hazzle of ssh in the first place.
...
you can surely do it, but i was addressing
* Dimitri Maziuk ([EMAIL PROTECTED]) spake thusly:
...
Well, yeah. The diffrence is mainly in user's perception: in one
case you don't give your e-mail/password/private key/whatever out
to the Evil Big Brother CVS Repository(tm), in the other, you do.
Make that public key.
Dima
--
We're
* Eric G. Miller egm2@jps.net [2001.11.27 19:41:23-0800]:
Don't you mean the *public* key? In fact, don't you want
the server to have the public key of the user, and then that
user has to use their private key and their passphrase to
authenticate themselves to the CVS server via ssh? I'm on
On Tue, Nov 27, 2001 at 10:08:57AM -0800, Peter Jay Salzman wrote:
joey, i have no problem with plain text passwords.
just as long as they can't get _shell access_ with that password.
Hi,
I'd just like to point out one thing that I didn't see in this thread
earlier: if you have write
* Eric G. Miller (egm2@jps.net) spake thusly:
On Tue, 27 Nov 2001 10:14:21 -0600
Dimitri Maziuk [EMAIL PROTECTED] wrote:
[snip]
Yes, pswerver sends everything in the clear and all that.
Edit /etc/shadow and set your cvsuser's password to NP
(or whatever Debian uses to disable logins).
* martin f krafft ([EMAIL PROTECTED]) spake thusly:
...
that's a good point. you can either generate a keypair on the server
and distribute the private key to multiple people, or you can create a
keypair per user and add all those public keys to authorized_keys(2).
there is no question that
* Dimitri Maziuk [EMAIL PROTECTED] [2001.11.28 10:44:02-0600]:
Bull. Give me one reason why it sucks. It's the way of giving them
anonymous cvs access without too much hassle. Or do you believe
that letting them have *a private key* is bad because it's called
private? It's just a word, you
i'd like to make some code available to collaborators via cvs. it appears
that i have a choice to make:
1. use pserver
2. use ext (ssh)
i just found out that using method 2, you can't assign a shell of /bin/false.
cvs won't work. so option 2 also means giving a shell account on my
machine.
* Peter Jay Salzman ([EMAIL PROTECTED]) spake thusly:
i'd like to make some code available to collaborators via cvs. it appears
that i have a choice to make:
1. use pserver
2. use ext (ssh)
i just found out that using method 2, you can't assign a shell of /bin/false.
cvs won't work.
Peter Jay Salzman wrote:
i just found out that using method 2, you can't assign a shell of /bin/false.
cvs won't work. so option 2 also means giving a shell account on my
machine.
Read http://kitenet.net/programs/sshcvs
any thoughts? is pserver really as insecure as dpkg claims in the
begin: Joey Hess [EMAIL PROTECTED] quote
Peter Jay Salzman wrote:
i just found out that using method 2, you can't assign a shell of
/bin/false.
cvs won't work. so option 2 also means giving a shell account on my
machine.
Read http://kitenet.net/programs/sshcvs
any thoughts? is
On Tue, Nov 27, 2001 at 10:08:57AM -0800, Peter Jay Salzman wrote:
| begin: Joey Hess [EMAIL PROTECTED] quote
| Peter Jay Salzman wrote:
| i just found out that using method 2, you can't assign a shell
| of /bin/false. cvs won't work. so option 2 also means giving
| a shell account on my
Peter Jay Salzman writes:
begin: Joey Hess [EMAIL PROTECTED] quote
Peter Jay Salzman wrote:
Read http://kitenet.net/programs/sshcvs
It uses plain-text passwords, which is pretty insecure, yes.
joey, i have no problem with plain text passwords.
just as long as they can't
Peter Jay Salzman wrote:
joey, i have no problem with plain text passwords.
just as long as they can't get _shell access_ with that password.
But getting access to your CVS is okay? Might as well not bother securing
it at all, then.
Craig
* Craig Dickson [EMAIL PROTECTED] [2001.11.27 10:28:10-0800]:
But getting access to your CVS is okay? Might as well not bother securing
it at all, then.
uhm, hello? yes, it is necessary. with ssh, only those with the
identity file can get access to the cvs. without cvs, anyone willing
to
martin f krafft wrote:
* Craig Dickson [EMAIL PROTECTED] [2001.11.27 10:28:10-0800]:
But getting access to your CVS is okay? Might as well not bother securing
it at all, then.
uhm, hello? yes, it is necessary. with ssh, only those with the
identity file can get access to the cvs. without
* Craig Dickson [EMAIL PROTECTED] [2001.11.27 15:06:00-0800]:
That was my point. If he's going to allow passwords to cross the net in
clear, then having passwords isn't really securing anything. Accessing
cvs in an ssh tunnel is the way to go.
okay, sorry, then i misunderstood you.
What
On Tue, 27 Nov 2001 10:14:21 -0600
Dimitri Maziuk [EMAIL PROTECTED] wrote:
[snip]
Yes, pswerver sends everything in the clear and all that.
Edit /etc/shadow and set your cvsuser's password to NP
(or whatever Debian uses to disable logins). Let your
users download the *private* key of cvsuser.
23 matches
Mail list logo