From owner-freebsd-security Fri Jun 1 9:23:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 70E7A37B423 for ; Fri, 1 Jun 2001 09:23:51 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA02822; Fri, 1 Jun 2001 10:23:42 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA05636; Fri, 1 Jun 2001 10:23:38 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15127.49545.586283.574105@nomad.yogotech.com> Date: Fri, 1 Jun 2001 10:23:37 -0600 (MDT) To: Dag-Erling Smorgrav Cc: Brian Behlendorf , Alex Holst , Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) In-Reply-To: References: X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > I was surprised when I read about the compromise, because it gives the > > > impression that people are still using passwords (as opposed to keys > > > with passphrases) for authentication in this day and age. Is that > > > correct? If so, why is that? > > CVS pserver. > > You don't need passwords to run CVS against a remote repository. All > you need is 'CVSROOT=user@server:/path/to/repo' and 'CVS_RSH=ssh'. This requires that you give the user a valid login account, unless you use the hacks that OpenBSD uses (using a shell that only allows them to run CVS). Using pserver mode, you don't (necessarily) have to give them a valid login account. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message