[cvsnt] pserver && encryption

[Tony Hoyle]

Keith D. Zimmerman wrote:


> But now a checkout.  Finally, the encryption error hits, but methinks it
> is too late...  I am more concerned about my domain passwords being um,
> "borrowed" than I am about my code being "borrowed", because we have an
> RDP port hanging open, and I am domain admin...  Very bad if people
> "borrow" my password.  Fortunatly I know enough to test on the LAN
> *before* opening the port on the external interface...

If you want any kind of security, don't use pserver.  Delete the
pserver_protocol.dll from the server.

> Also, as far as security:  If I set the server to "require encryption"
> :spi: still seems to work.  There have been reports (in the past) that
> windows authentication was "not good".  People deriding M$'s built in
> auth. in internet explorer and IIS because it was dangerous, esp. w/
> domain passwords.  Anybody know anything about this????

NTLM doesn't do endpoint authentication, so is wide open to
man-in-the-middle attacks.  If you're only worried about passive attacks
then NTLMv2 is secure enough (don't allow any Win9x clients to connect...
NTLMv1 is trivially crackable).
 
> Also, one more question:  what is the cipher strength of the various
> protocols - sserver, sspi - as compared to cygwin ssh?

sserver is about the same as ssh provided you enable strict certificate
checking on the client (see the readme.nt for the registry entry).  I
wouldn't put sspi in the same league (although it's secure enough for most
purposes).

Tony