bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM authentication patch - v2


From: Mark D. Baushke
Subject: Re: PAM authentication patch - v2
Date: Wed, 16 Apr 2003 00:54:05 -0700

Brian Murphy <address@hidden> writes:

> Mark D. Baushke wrote:
> 
> >I doubt I can convince you of how evil it is to send passwords in the
> >clear for your :pserver: connections to cvs. I just shudder to think of
> >folks seeing that cvs support PAM and thinking for some reason that it
> >is not leaking their passwords in a large number of ways.
> >
> >
> PAM also works with telnet. I don't think anyone thinks a PAM enabled login
> via telnet is any more secure than an ordinary passwd based login.

Some telnet versions allow for encryption either using SSL or are
GSSAPI-based.

In addition, there are many security pages documenting the 'evils' of
using telnet and suggesting that all right-minded people move to a
secure remote connection mechanism of some kind.

It should also be noted that folks have spend a bit of effort trying to
remove security flaws from telnet and telnetd and that a similar such
effort has not been contemplated for cvs which is inherently NOT secure.

        -- Mark




reply via email to

[Prev in Thread] Current Thread [Next in Thread]