From: becka@rz.uni-duesseldorf.de
  To  : ggi-develop@eskimo.com
  Date: Sat, 13 Feb 1999 19:30:51 +0100 (MET)

Re: CVS maintainer?

Hi !

> rsh method (with rsh=ssh) which requires one system acct per cvs acct. Do
> you know of any way to set up multiple rw accts using a strong encryption
> mechanism such as ssh or ssl? I mean, without needing one system acct per
> cvs acct?

The pserver method is not exactly "strong".

> I'd like to know how secure the password method is... Are the passwords
> crypt()ed at the cvs server's end? if so, you're transmitting passwords
> cleartext. If they are crypt()ed locally, the possibility for trojan is
> hanging right out..

The pserver method is not strong. The passwords are stored locally and
transmitted - well, not really crypted, but let's say "obfuscated".

This should be string enough for geeks routinely scanning the net with some
password grabber, but a determined snooping attack by someone who knows what
he's doing will reveal the password.

> 	Yes, berlin used to use pserver. But graydon felt insecure using it,
> so we switched. I personally agreed completely with that move ;)

Well ... depends on your need for security. Of course you shouldn't use
your logon password or something like it for pserver.

CU, ANdy

-- 
= Andreas Beck                    |  Email :  <andreas.beck@ggi-project.org> =