From owner-freebsd-security  Fri Jun  1  9:23:54 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP id 70E7A37B423
	for <freebsd-security@FreeBSD.ORG>; Fri,  1 Jun 2001 09:23:51 -0700 (PDT)
	(envelope-from nate@yogotech.com)
Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA02822;
	Fri, 1 Jun 2001 10:23:42 -0600 (MDT)
	(envelope-from nate@nomad.yogotech.com)
Received: (from nate@localhost)
	by nomad.yogotech.com (8.8.8/8.8.8) id KAA05636;
	Fri, 1 Jun 2001 10:23:38 -0600 (MDT)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15127.49545.586283.574105@nomad.yogotech.com>
Date: Fri, 1 Jun 2001 10:23:37 -0600 (MDT)
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: Brian Behlendorf <brian@collab.net>, Alex Holst <a@area51.dk>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd)
In-Reply-To: <xzpvgmgwbvv.fsf@flood.ping.uio.no>
References: <Pine.BSF.4.31.0105311840420.52261-100000@localhost>
	<xzpvgmgwbvv.fsf@flood.ping.uio.no>
X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> > > I was surprised when I read about the compromise, because it gives the
> > > impression that people are still using passwords (as opposed to keys
> > > with passphrases) for authentication in this day and age. Is that
> > > correct? If so, why is that?
> > CVS pserver.
> 
> You don't need passwords to run CVS against a remote repository.  All
> you need is 'CVSROOT=user@server:/path/to/repo' and 'CVS_RSH=ssh'.

This requires that you give the user a valid login account, unless you
use the hacks that OpenBSD uses (using a shell that only allows them to
run CVS).  Using pserver mode, you don't (necessarily) have to give them
a valid login account.



Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message