Date: Fri, 1 Jun 2001 10:23:37 -0600 (MDT) From: Nate Williams <nate@yogotech.com> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Brian Behlendorf <brian@collab.net>, Alex Holst <a@area51.dk>, <freebsd-security@FreeBSD.ORG> Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <15127.49545.586283.574105@nomad.yogotech.com> In-Reply-To: <xzpvgmgwbvv.fsf@flood.ping.uio.no> References: <Pine.BSF.4.31.0105311840420.52261-100000@localhost> <xzpvgmgwbvv.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > I was surprised when I read about the compromise, because it gives the > > > impression that people are still using passwords (as opposed to keys > > > with passphrases) for authentication in this day and age. Is that > > > correct? If so, why is that? > > CVS pserver. > > You don't need passwords to run CVS against a remote repository. All > you need is 'CVSROOT=user@server:/path/to/repo' and 'CVS_RSH=ssh'. This requires that you give the user a valid login account, unless you use the hacks that OpenBSD uses (using a shell that only allows them to run CVS). Using pserver mode, you don't (necessarily) have to give them a valid login account. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15127.49545.586283.574105>