[Toolserver-l] The Norwegian toolserver
River Tarnell
river at loreley.flyingparchment.org.uk
Sat Aug 1 15:46:10 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
River Tarnell:
> in fact, since you never have to change it, or remember it, or use a
> different one for each site, it's likely to be a lot easier.
one other problem with password authentication: many users do use the same one
for different sites, even if it's a bad idea. if the Toolserver was
compromised, and we used Kerberos auth, an attacker could easily install a
trojaned ssh server or client which recorded every user's password, and then
use those passwords to attack other sites. (this is how Apache.org was
compromised, except it was SF with the trojaned SSH instead of the Toolserver.)
conversely, with public keys, an evil server cannot do anything to compromise
the security of the private key, since it's never sent to the server.
- river.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (HP-UX)
iEYEARECAAYFAkp0Y0IACgkQIXd7fCuc5vI5FgCeN0w461/O1v5AGtLouVPPP5kp
zgAAn2ANR0y/wFRL7d8fUYXuzZCdWC2a
=KpQo
-----END PGP SIGNATURE-----
More information about the Toolserver-l
mailing list