From owner-freebsd-security Fri Jun 1 11:32: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 5C64837B423 for ; Fri, 1 Jun 2001 11:32:01 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 19989 invoked by uid 1000); 1 Jun 2001 18:32:22 -0000 Date: Fri, 1 Jun 2001 20:32:22 +0200 From: "Karsten W. Rohrbach" To: Brian Behlendorf Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601203222.I10477@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brian Behlendorf , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3U8TY7m7wOx7RL1F" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from brian@collab.net on Fri, Jun 01, 2001 at 08:55:16AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3U8TY7m7wOx7RL1F Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Brian Behlendorf(brian@collab.net)@2001.06.01 08:55:16 +0000: > On 1 Jun 2001, Dag-Erling Smorgrav wrote: > > You don't need passwords to run CVS against a remote repository. All > > you need is 'CVSROOT=3Duser@server:/path/to/repo' and 'CVS_RSH=3Dssh'. >=20 > For those who use windows and mac GUI CVS clients, pserver's a > requirement. >=20 > IMHO, passwords are neither better nor worse, necessarily, than keys, in > authenticating to a server. The basic difference is between "what you > know" and "what you have". I'm as worried about people who have poor > password management practices, as I am about people whose home or work > machines where their private keys are may not be the most secure. having read a lot of the openssh sources last night (yay! finally) i must say that pkcs are better than password exchange or key transmission based systems in terms of security. the idea is having the public key on the remote side, having the authenticating side sign a challenge blob of data and xmit the response back where it is checked against the public key. if it matches =3D good, if it's garbage =3D noauth. the private key itself never gets transmitted over a wire, the public key just once. if the algorithm is really non-reversable it should prove more secure than every shared secret system out there (and that's why a lot of folks use it i think). /k --=20 > Hackers do it with fewer instructions. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --3U8TY7m7wOx7RL1F Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7F9+2M0BPTilkv0YRAiIEAJ9kai8YBdfGoXeWtfxK5bda4TAbRwCfbD4v PDSAglPQKORC8mAtU14UBHE= =S5/e -----END PGP SIGNATURE----- --3U8TY7m7wOx7RL1F-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message