[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-dev] proposal to enhance security
|
From: |
Mathieu Roy |
|
Subject: |
[Savannah-dev] proposal to enhance security |
|
Date: |
30 Mar 2003 13:20:44 +0200 |
|
User-agent: |
Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 |
Hi,
I think we can enhance the "lost password system".
Thomas Bushnell noticed the possibility to crack the password system:
- someone use the lost password tool
- he sniff packets the server send, especially on port 25
- he get the mail with the hash. The connection is not
crypted.
- even if we add ssl support to exim, we cannot predict that
all servers from savannah to the user MDA will have ssl
support
But the consequences of this holes are not as big as Thomas said, in
my opinion:
- it's not a bug that makes savannah particulary insecure
by comparison to sf.net, as it works the same on sf.net
- even if someone crack an account, he cannot do what he
really want to easily. Every actions are locked. And
users got a cvssh.
- if he crack an account of someone who got shell access
it can be critical, as he can change ssh keys...
So:
- I added previously a mail() call to savannah-hackers to tell
us about lost password usage
- I propose to promote usage of gpg: if someone add his gpg
key for his account, we will not use the sf.net original
password command with an hash sent, but we will directly
send him his password, crypted by gpg. It easier to deal
with (unrequired complication leads to failure) and it is
really secure.
- Once this feature is implemented (I'll add a perl script
to do this - php will be able to call him) we'll post a
message on the savannah front page. We'll also send a mail
to people listed in /root/README.login
Objections? Ideas?
Regards,
--
Mathieu Roy
<< Profile << http://savannah.gnu.org/users/yeupou <<
>> Homepage >> http://yeupou.coleumes.org >>
<< GPG Key << http://stock.coleumes.org/gpg <<
- [Savannah-dev] proposal to enhance security,
Mathieu Roy <=