Re: Authentication without clear password on the network

[Greg A. Woods]

BTW, I really do not appreciate your use of a bogus e-mail address,
especially when you give no hint as to how a human might concoct
a valid e-mail address for contacting you.  This forum is primarily a
mailing list, not a newsgroup.


[ On Tuesday, July 6, 2004 at 12:42:33 (+0200), Yves Martin wrote: ]
> Subject: Re: Authentication without clear password on the network
>
>  My constraints are oriented to reduce administrative tasks:
> 
>  - no system user on the UNIX server (there is no need for CVS
>    features indeed - only the "log name" should be kept for the author
>    field in RCS files)

You cannot, by definition, have any real security in your audit trail
unless the identities recorded therin are unique _system_ level
identities that your authentication system can verifiably be shown to
have successfully authenticated and authorized to use the service being
audited.

CVS and RCS underneath it were desgined to work within the unix security
model where each user has a unique system identity.  Secure network
access to any CVS repository relies on the fact that the client and
server hosts can securely communicate to each other the identity of a an
authenticated and authorised user.  Without this trust, e.g. as it is
established by properly used SSH, there is no accountability in the CVS
repository being accessed.

No use of cvspserver can ever provide any sufficient level of
accountability, especially not to anyone who would be concerned with
passwords being used in the clear on the network.


>  As far as I'm using the PAM SMB only for the CVS authentication, I do
>  not break the UNIX security. The virtual 'cvs' user only access CVS
>  files. In fact there is no human user connected to the machine but
>  only a client/server CVS service.

There is no security in having one authorisation service hand an
identity over to another if the latter has no concept of that identifier
bbeing a system identity it would recognize and that it could trust had
been authenticated, regardless of whether the handover of this
identifier can be done securely or not.

>  Current status:
>  - The CVS server is used only in the enterprise network. So there is
>    no need to be so secured but it is better that passwords are not
>    sent as clear text (pserver currently !).

82% of all security incidents are internal.  :-)

>  My objections about SSH:
> 
>  - SSH needs a system user per human user and it is too much job to
>    maintain.

That whole statement is self-contradictory and the very idea behind it
is incomprehensible to me.

Obviously SSH needs unique system identities per human users -- that's
its primary purpose and it does in fact conform to the unix security
model it operates within.

If you think maintaining account information for system users is too
much work then why are you bothering with any security at all!?!?!?!?


>  - SSH needs to generate certificats and install public keys. It is
>    the only way to use SSH with WinCVS - another "too much job" for
>    users.

Huh?  Not the way I use it.  :-)

>  My issue now concerns clear text passwords on the network.

Ah, so you are worried about security on the enterprise intranet.  ;-)

(as you well should be!  :-)

-- 
                                                Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <address@hidden>
Planix, Inc. <address@hidden>          Secrets of the Weird <address@hidden>