Re: is gitosis secure?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

this is really a reply to an earlier message that I deleted.
the question was asked 'what would the security people like instead of SSH'
as a security person who doesn't like how ssh is used for everything, let me list a couple of concerns.
ssh is default allow (it lets you run any commands), you can lock it down with effort.
ssh defaults to establishing a tunnel between machines that other network traffic can use to bypass your system. yes I know that with enough effort and control of both systems you can tunnel over anything, the point is that ssh is eager to do this for you (overly eager IMHO)
ssh depends primarily on certificates that reside on untrusted machines. it can be made to work with tokens or such, but it takes a fair bit of effort. 

sshd runs as root on just about every system
people trust ssh too much. they tend to think that anything is acceptable if it's done over ssh (this isn't a technical issue, but it is a social issue) 


what would I like to see in an ideal world?
something that runs as the git user, does not enable tunneling, and only does the data transfer functions needed for a push. it should use off-the-shelf libraries for certificate authentication and tie into PAM for additional authentication.
the authentication would not be any better than with SSH, but the rest would be better. I was very pleased to watch the git-daemon development, and the emphisis on it running with minimum privilages and provide just the functionality that was needed, and appropriately assuming that any connection from the outside is hostile until proven otherwise. 


what would I do with current tools?
I would say that developers working from outside should VPN into the company network before doing the push with SSH rather than exposing the SSH daemon to the entire Internet.
in the medium term, if the git-over-http gets finished, I would like to see a seperate cgi created to allow push as well. http is overused as a tunneling protocol, but it's easy to setup a server that can't do anything except what you want, so this tunneling is generally not a threat to servers (it's a horrible threat to client systems) 

David Lang
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux