[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ANN: cvssh - secure ext-to-pserver bridge

From: Jes煤s M. NAVARRO
Subject: Re: ANN: cvssh - secure ext-to-pserver bridge
Date: Mon, 11 Mar 2002 14:19:19 +0100
User-agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:0.9.8) Gecko/20020307

Hi, David:

David A. Desrosiers wrote:
Duh.  If you're doing authentication and authorisation on a unix-based
file server then you MUST, _M_U_S_T_ use a unique system account for
ever real-world user or else you might as well not use any
authentication whatsoever.  Pserver has NO accountability from the
system's point of view.  None whatsoever.  Don't use pserver.  Ever.


Also, giving a user a shell, even chrooted, or blocked from the ability to log in, consumes much more process and resources on the box, and definately scales linearly, and is open to much more exploitable holes than what pserver provides. The risk of sniffing the password is nil using pserver, since obtaining it gives the "cracker" exactly nothing. Are they going to commit code on our behalf? Unlikely. Delete a tag? We can roll back out. It's all negligable.

Not to tell you are not putting some sensible insigths here, but what you're telling is your code is not a valuable asset: They can checkin, but they can check out too and steal your code (wasn't told somebody in Russia did this with Win2000 code?). Well, if you don't mind someone else having access to your code you could release it open sourced, don't you?
Desde Zaragoza, busco empleo -

reply via email to

[Prev in Thread] Current Thread [Next in Thread]