[cvsnt] pserver && encryption
Keith D. Zimmerman
keith at eagle-solutions.com
Thu Jun 5 21:44:32 BST 2003
inline
keith d. zimmerman, mcsd
eagle solutions
-----Original Message-----
From: Tony Hoyle [mailto:tmh at nodomain.org]
Sent: Thursday, June 05, 2003 3:18 PM
To: cvsnt at cvsnt.org
Subject: Re: [cvsnt] pserver && encryption
I'm assuming I got the port # right because you didn't respond to that
part of my message... So sserver, pserver, ntserver, sspi - they all go
through the same port?
>> But now a checkout. Finally, the encryption error hits, but methinks
it
>> is too late... I am more concerned about my domain passwords being
um,
>> "borrowed" than I am about my code being "borrowed", because we have
an
>> RDP port hanging open, and I am domain admin... Very bad if people
>> "borrow" my password. Fortunatly I know enough to test on the LAN
>> *before* opening the port on the external interface...
>
>If you want any kind of security, don't use pserver. Delete the
>pserver_protocol.dll from the server.
Yes, but it appears to me that the client sent the password before it
even realized pserver was not supported... This seems like a possible
vulnerability, not? If the clueless user tries to connect via pserver,
you have domain passwords flying across the internet, not?
>
>> Also, as far as security: If I set the server to "require
encryption"
>> :spi: still seems to work. There have been reports (in the past)
that
>> windows authentication was "not good". People deriding M$'s built in
>> auth. in internet explorer and IIS because it was dangerous, esp. w/
>> domain passwords. Anybody know anything about this????
>
>NTLM doesn't do endpoint authentication, so is wide open to
>man-in-the-middle attacks. If you're only worried about passive
attacks
>then NTLMv2 is secure enough (don't allow any Win9x clients to
connect...
>NTLMv1 is trivially crackable).
>
>> Also, one more question: what is the cipher strength of the various
>> protocols - sserver, sspi - as compared to cygwin ssh?
>
>sserver is about the same as ssh provided you enable strict certificate
>checking on the client (see the readme.nt for the registry entry). I
>wouldn't put sspi in the same league (although it's secure enough for
most
>purposes).
>
Can you be more specific with this "strict checking" option... If I use
a cert server (cacert.org, for instance) but don't turn strict on, does
the client simply not bother to check with the authority?
>Tony
_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
More information about the cvsnt
mailing list