Subject: Re: sshd at anoncvs.netbsd.org broke?
To: gabriel rosenkoetter <email@example.com>
From: Tracy Di Marco White <firstname.lastname@example.org>
Date: 06/27/2002 12:09:42
gabriel rosenkoetter <email@example.com> wrote:
}First off, hope it's not got ChallengeResponseAuthentication set to
}"yes" (note that you have to *force* this to no!):
}grappa:dist/ssh# telnet anoncvs.netbsd.org 22
}Connected to anoncvs.netbsd.org.
}Escape character is '^]'.
}That aside, I'd kind of like to do a cvs update, but:
}grappa:dist/ssh# cat CVS/Root
}grappa:dist/ssh# echo $CVS_RSH
}grappa:dist/ssh# ssh -V
}OpenSSH_3.2 NetBSD_Secure_Shell-20020422, SSH protocols 1.5/2.0, OpenSSL 0x=
}grappa:dist/ssh# cvs update -dP
}ssh_exchange_identification: Connection closed by remote host
}cvs [update aborted]: end of file from server (consult above messages if an=
}pserver works, but is obviously less desirable (especially for
}things like src/crypto/dist/ssh, which is what I'm trying to update
}in this example), since it's susceptible to mitm attacks.
}What REALLY scares me about this is that I really doubt that
}ChallengeResponseAuthentication is set to "no" on
}anoncvs.netbsd.org, since it is, to all appearances, an otherwise-
}default install. If that's the case, then what assurance does the
}public have that these sources haven't been tampered with?
We're paranoid. We've never trusted anonymous cvs over openssh, because
there will be holes. Nothing has the ability to get into what you see
as anoncvs.netbsd.org and write or change anything. Nonetheless, on
what appears as anoncvs.netbsd.org, ChallengeResponseAuthentication is
set to no.
What matters to you is that where real people can change the machine,
ChallegeResponseAuthentication is also set to no.
Unfortunately, the problems annouced recently have severely impacted
the performance of the machine (every one is upgrading, so it's busy)
and connections are slow when they work.