Dear David.
Why do you trust VPN more than the SSH?
I ask because I have just removed the "first VPN then SSH" solution in
favor for a SSH only solution using Gitosis just to get rid of the VPN
which I believe is less secure than SSH (well until I read you comments
below).
I thought I was doing something right for once but maybe I'm not?
Thanks and best regards
Martin
david@xxxxxxx wrote:
this is really a reply to an earlier message that I deleted.
the question was asked 'what would the security people like instead of
SSH'
as a security person who doesn't like how ssh is used for everything,
let me list a couple of concerns.
ssh is default allow (it lets you run any commands), you can lock it
down with effort.
ssh defaults to establishing a tunnel between machines that other
network traffic can use to bypass your system. yes I know that with
enough effort and control of both systems you can tunnel over
anything, the point is that ssh is eager to do this for you (overly
eager IMHO)
ssh depends primarily on certificates that reside on untrusted
machines. it can be made to work with tokens or such, but it takes a
fair bit of effort.
sshd runs as root on just about every system
people trust ssh too much. they tend to think that anything is
acceptable if it's done over ssh (this isn't a technical issue, but it
is a social issue)
what would I like to see in an ideal world?
something that runs as the git user, does not enable tunneling, and
only does the data transfer functions needed for a push. it should use
off-the-shelf libraries for certificate authentication and tie into
PAM for additional authentication.
the authentication would not be any better than with SSH, but the rest
would be better. I was very pleased to watch the git-daemon
development, and the emphisis on it running with minimum privilages
and provide just the functionality that was needed, and appropriately
assuming that any connection from the outside is hostile until proven
otherwise.
what would I do with current tools?
I would say that developers working from outside should VPN into the
company network before doing the push with SSH rather than exposing
the SSH daemon to the entire Internet.
in the medium term, if the git-over-http gets finished, I would like
to see a seperate cgi created to allow push as well. http is overused
as a tunneling protocol, but it's easy to setup a server that can't do
anything except what you want, so this tunneling is generally not a
threat to servers (it's a horrible threat to client systems)
David Lang
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
