[cvsnt] pserver && encryption

Keith D. Zimmerman keith at eagle-solutions.com
Thu Jun 5 21:44:32 BST 2003


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


inline

keith d. zimmerman, mcsd 
eagle solutions

-----Original Message-----
From: Tony Hoyle [mailto:tmh at nodomain.org] 
Sent: Thursday, June 05, 2003 3:18 PM
To: cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
Subject: Re: [cvsnt] pserver && encryption

I'm assuming I got the port # right because you didn't respond to that
part of my message...  So sserver, pserver, ntserver, sspi - they all go
through the same port?

>> But now a checkout.  Finally, the encryption error hits, but methinks
it
>> is too late...  I am more concerned about my domain passwords being
um,
>> "borrowed" than I am about my code being "borrowed", because we have
an
>> RDP port hanging open, and I am domain admin...  Very bad if people
>> "borrow" my password.  Fortunatly I know enough to test on the LAN
>> *before* opening the port on the external interface...
>
>If you want any kind of security, don't use pserver.  Delete the
>pserver_protocol.dll from the server.

Yes, but it appears to me that the client sent the password before it
even realized pserver was not supported...  This seems like a possible
vulnerability, not?  If the clueless user tries to connect via pserver,
you have domain passwords flying across the internet, not?

>
>> Also, as far as security:  If I set the server to "require
encryption"
>> :spi: still seems to work.  There have been reports (in the past)
that
>> windows authentication was "not good".  People deriding M$'s built in
>> auth. in internet explorer and IIS because it was dangerous, esp. w/
>> domain passwords.  Anybody know anything about this????
>
>NTLM doesn't do endpoint authentication, so is wide open to
>man-in-the-middle attacks.  If you're only worried about passive
attacks
>then NTLMv2 is secure enough (don't allow any Win9x clients to
connect...
>NTLMv1 is trivially crackable).
> 
>> Also, one more question:  what is the cipher strength of the various
>> protocols - sserver, sspi - as compared to cygwin ssh?
>
>sserver is about the same as ssh provided you enable strict certificate
>checking on the client (see the readme.nt for the registry entry).  I
>wouldn't put sspi in the same league (although it's secure enough for
most
>purposes).
>

Can you be more specific with this "strict checking" option...  If I use
a cert server (cacert.org, for instance) but don't turn strict on, does
the client simply not bother to check with the authority?

>Tony

_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs


More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook