Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 1 Jun 2001 20:32:22 +0200
From:      "Karsten W. Rohrbach" <karsten@rohrbach.de>
To:        Brian Behlendorf <brian@collab.net>
Cc:        Dag-Erling Smorgrav <des@ofug.org>, freebsd-security@FreeBSD.ORG
Subject:   Re: Apache Software Foundation Server compromised, resecured. (fwd)
Message-ID:  <20010601203222.I10477@mail.webmonster.de>
In-Reply-To: <Pine.BSF.4.31.0106010850550.679-100000@localhost>; from brian@collab.net on Fri, Jun 01, 2001 at 08:55:16AM -0700
References:  <xzpvgmgwbvv.fsf@flood.ping.uio.no> <Pine.BSF.4.31.0106010850550.679-100000@localhost>

next in thread | previous in thread | raw e-mail | index | archive | help

--3U8TY7m7wOx7RL1F
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Brian Behlendorf(brian@collab.net)@2001.06.01 08:55:16 +0000:
> On 1 Jun 2001, Dag-Erling Smorgrav wrote:
> > You don't need passwords to run CVS against a remote repository.  All
> > you need is 'CVSROOT=3Duser@server:/path/to/repo' and 'CVS_RSH=3Dssh'.
>=20
> For those who use windows and mac GUI CVS clients, pserver's a
> requirement.
>=20
> IMHO, passwords are neither better nor worse, necessarily, than keys, in
> authenticating to a server.  The basic difference is between "what you
> know" and "what you have".  I'm as worried about people who have poor
> password management practices, as I am about people whose home or work
> machines where their private keys are may not be the most secure.
having read a lot of the openssh sources last night (yay! finally) i
must say that pkcs are better than password exchange or key transmission
based systems in terms of security. the idea is having the public key on
the remote side, having the authenticating side sign a challenge blob of
data and xmit the response back where it is checked against the public
key. if it matches =3D good, if it's garbage =3D noauth. the private key
itself never gets transmitted over a wire, the public key just once.
if the algorithm is really non-reversable it should prove more secure
than every shared secret system out there (and that's why a lot of folks
use it i think).

/k

--=20
> Hackers do it with fewer instructions.
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n=
et/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 B=
F46

--3U8TY7m7wOx7RL1F
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7F9+2M0BPTilkv0YRAiIEAJ9kai8YBdfGoXeWtfxK5bda4TAbRwCfbD4v
PDSAglPQKORC8mAtU14UBHE=
=S5/e
-----END PGP SIGNATURE-----

--3U8TY7m7wOx7RL1F--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010601203222.I10477>