is gitosis secure?

classic Classic list List threaded Threaded
41 messages Options
123
Reply | Threaded
Open this post in threaded view
|

is gitosis secure?

Thomas Koch
Sorry for the shameless subject, but I presented gitosis yesterday to
our sysadmin and he wasn't much delighted to learn, that write access to
repositories hosted with gitosis would need SSH access.

So could you help me out in this discussion, whether to use or not to
use gitosis?
Our admin would prefer to not open SSH at all outside our LAN, but
developers would need to have write access also outside the office.

Best regards,
--
Thomas Koch, Software Developer
http://www.koch.ro

Young Media Concepts GmbH
Sonnenstr. 4
CH-8280 Kreuzlingen
Switzerland

Tel    +41 (0)71 / 508 24 86
Fax    +41 (0)71 / 560 53 89
Mobile +49 (0)170 / 753 89 16
Web    www.ymc.ch
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

Sam Vilain
On Tue, 2008-12-09 at 09:56 +0100, Thomas Koch wrote:
> Sorry for the shameless subject, but I presented gitosis yesterday to
> our sysadmin and he wasn't much delighted to learn, that write access to
> repositories hosted with gitosis would need SSH access.
>
> So could you help me out in this discussion, whether to use or not to
> use gitosis?
> Our admin would prefer to not open SSH at all outside our LAN, but
> developers would need to have write access also outside the office.

Restricted unix shells are a technology which has been proven secure for
decades now.  If you use git-shell, you are keeping the secure part of
SSH - the authentication and encryption - and restricting the SSH access
part to the bare minimum required for useful access to the required
services.

ie ... it all comes down to the shell you give those 'login' users as to
what they can do.

Sam.

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

R. Tyler Ballance
In reply to this post by Thomas Koch
On Tue, 2008-12-09 at 09:56 +0100, Thomas Koch wrote:
> Sorry for the shameless subject, but I presented gitosis yesterday to
> our sysadmin and he wasn't much delighted to learn, that write access to
> repositories hosted with gitosis would need SSH access.

Accounts set up with keys for Gitosis are given restricted accounts
(from my understanding similar to how CVS or SVN operate over SSH
tunnels).

The sysadmins here at Slide also had similar frustrations/concerns about
using Gitosis, but we were able to convince them that keys were a far
better solution than keyboard-interactive login sessions over HTTPS for
Subversion.

We're using gitosis with plenty of developers (coming up on 50) and
haven't had any issues with security (yet, crossed fingers). We even
have some accounts that are able to read but not write, i.e. they can
clone and pull, but not push back up to the central repository. YMMV.

>
> So could you help me out in this discussion, whether to use or not to
> use gitosis?
> Our admin would prefer to not open SSH at all outside our LAN, but
> developers would need to have write access also outside the office.

I recommend using VPN if the need to push/pull while outside of the
office (more fun solutions include SSH gateways that tunnel outside to
inside). Otherwise, why could they not simply commit locally, etc, and
then when they come into the office push/pull?

Cheers
--
-R. Tyler Ballance
Slide, Inc.

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

Sverre Rabbelier
In reply to this post by Thomas Koch
On Tue, Dec 9, 2008 at 09:56, Thomas Koch <[hidden email]> wrote:
> Our admin would prefer to not open SSH at all outside our LAN, but
> developers would need to have write access also outside the office.

What safer to connect to the LAN than with SSH? What _would_ your
system admin be happy with using?

--
Cheers,

Sverre Rabbelier
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

Garry Dolley
In reply to this post by Thomas Koch
On Tue, Dec 09, 2008 at 09:56:48AM +0100, Thomas Koch wrote:
> Sorry for the shameless subject, but I presented gitosis yesterday to
> our sysadmin and he wasn't much delighted to learn, that write access to
> repositories hosted with gitosis would need SSH access.
>
> So could you help me out in this discussion, whether to use or not to
> use gitosis?
> Our admin would prefer to not open SSH at all outside our LAN, but
> developers would need to have write access also outside the office.

If your admin doesn't want to open SSH to the outside, then the
people who need it would need to VPN into your LAN first.  That's
how I do it on networks that don't allow any traffic from the
outside.

But like someone else ask, what alternative *would* your admin
prefer?  I'd rather use SSH than a yet-to-be-proven-secure
alternative app.

--
Garry Dolley
ARP Networks, Inc.                          http://www.arpnetworks.com
Data center, VPS, and IP transit solutions  (818) 206-0181
Member Los Angeles County REACT, Unit 336   WQGK336
Blog                                        http://scie.nti.st

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

nix-2-3
In reply to this post by Sverre Rabbelier
On 9 Dec 2008, Sverre Rabbelier spake thusly:

> On Tue, Dec 9, 2008 at 09:56, Thomas Koch <[hidden email]> wrote:
>> Our admin would prefer to not open SSH at all outside our LAN, but
>> developers would need to have write access also outside the office.
>
> What safer to connect to the LAN than with SSH? What _would_ your
> system admin be happy with using?

telnet. I do not jest, this is our sysadmins' stated reasons for not
opening the git port and for tweaking their (mandatory) HTTP proxy to
block HTTP traffic from git.

(Telnet over some horrible impossibly slow buggy proprietary VPN.
It takes >5min to bring up a single connection.)

Do not underestimate the stupidity and hideboundedness of undertrained
system administrators, for it is vast.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

Sverre Rabbelier
On Sat, Dec 13, 2008 at 17:23, Nix <[hidden email]> wrote:
> telnet. I do not jest, this is our sysadmins' stated reasons for not
> opening the git port and for tweaking their (mandatory) HTTP proxy to
> block HTTP traffic from git.

I don't know what to say to this :P.

> (Telnet over some horrible impossibly slow buggy proprietary VPN.
> It takes >5min to bring up a single connection.)

I feel for you man, try and get that guy fired and have them hire some
_real_ sysadmins!

> Do not underestimate the stupidity and hideboundedness of undertrained
> system administrators, for it is vast.

This is beyond doubt.

--
Cheers,

Sverre Rabbelier
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

Sitaram Chamarty
In reply to this post by nix-2-3
On 2008-12-13, Nix <[hidden email]> wrote:
> telnet. I do not jest, this is our sysadmins' stated reasons for not
> opening the git port and for tweaking their (mandatory) HTTP proxy to
> block HTTP traffic from git.

Wow -- my sympathies!

But on occasion, when real or imaginary issues prevented me
from making a live connection, I have used "git bundle" to
do the job.  Not as satisfactory as a real connection, but
when you have a proper, non-fast-forwarding, repo as the
"mother ship", git bundle with some custom procmail scripts
on both sides can work OK enough.

To do that with a public repo you'd have to mirror that on a
home machine and let your restricted environment work
against that.

> Do not underestimate the stupidity and hideboundedness of undertrained
> system administrators, for it is vast.

These same administrators also underestimate (i) the number
of well connected home machines and (ii) the idea that on
his own machine, everyone is root.

Most of these blocks are "default allow", and your home IP
is not on that list and they don't have the smarts to figure
out that you're getting around their blocks :-) Add dynamic
IP and a dyndns hostname (and dyndns has a hundred or so 2nd
level domains to choose your 3rd level hostname from!) and
clueless admins don't stand a chance.

[sorry this is so badly off-topic...]

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

David Lang
this is really a reply to an earlier message that I deleted.

the question was asked 'what would the security people like instead of
SSH'

as a security person who doesn't like how ssh is used for everything, let
me list a couple of concerns.

ssh is default allow (it lets you run any commands), you can lock it down
with effort.

ssh defaults to establishing a tunnel between machines that other network
traffic can use to bypass your system. yes I know that with enough effort
and control of both systems you can tunnel over anything, the point is
that ssh is eager to do this for you (overly eager IMHO)

ssh depends primarily on certificates that reside on untrusted machines.
it can be made to work with tokens or such, but it takes a fair bit of
effort.

sshd runs as root on just about every system

people trust ssh too much. they tend to think that anything is acceptable
if it's done over ssh (this isn't a technical issue, but it is a social
issue)


what would I like to see in an ideal world?

something that runs as the git user, does not enable tunneling, and only
does the data transfer functions needed for a push. it should use
off-the-shelf libraries for certificate authentication and tie into PAM
for additional authentication.

the authentication would not be any better than with SSH, but the rest
would be better. I was very pleased to watch the git-daemon development,
and the emphisis on it running with minimum privilages and provide just
the functionality that was needed, and appropriately assuming that any
connection from the outside is hostile until proven otherwise.


what would I do with current tools?

I would say that developers working from outside should VPN into the
company network before doing the push with SSH rather than exposing the
SSH daemon to the entire Internet.

in the medium term, if the git-over-http gets finished, I would like to
see a seperate cgi created to allow push as well. http is overused as a
tunneling protocol, but it's easy to setup a server that can't do anything
except what you want, so this tunneling is generally not a threat to
servers (it's a horrible threat to client systems)

David Lang
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

Martin Pettersson
Dear David.
Why do you trust VPN more than the SSH?
I ask because I have just removed the "first VPN then SSH" solution in
favor for a SSH only solution using Gitosis just to get rid of the VPN
which I believe is less secure than SSH (well until I read you comments
below).
I thought I was doing something right for once but maybe I'm not?
Thanks and best regards
Martin

[hidden email] wrote:

> this is really a reply to an earlier message that I deleted.
>
> the question was asked 'what would the security people like instead of
> SSH'
>
> as a security person who doesn't like how ssh is used for everything,
> let me list a couple of concerns.
>
> ssh is default allow (it lets you run any commands), you can lock it
> down with effort.
>
> ssh defaults to establishing a tunnel between machines that other
> network traffic can use to bypass your system. yes I know that with
> enough effort and control of both systems you can tunnel over
> anything, the point is that ssh is eager to do this for you (overly
> eager IMHO)
>
> ssh depends primarily on certificates that reside on untrusted
> machines. it can be made to work with tokens or such, but it takes a
> fair bit of effort.
>
> sshd runs as root on just about every system
>
> people trust ssh too much. they tend to think that anything is
> acceptable if it's done over ssh (this isn't a technical issue, but it
> is a social issue)
>
>
> what would I like to see in an ideal world?
>
> something that runs as the git user, does not enable tunneling, and
> only does the data transfer functions needed for a push. it should use
> off-the-shelf libraries for certificate authentication and tie into
> PAM for additional authentication.
>
> the authentication would not be any better than with SSH, but the rest
> would be better. I was very pleased to watch the git-daemon
> development, and the emphisis on it running with minimum privilages
> and provide just the functionality that was needed, and appropriately
> assuming that any connection from the outside is hostile until proven
> otherwise.
>
>
> what would I do with current tools?
>
> I would say that developers working from outside should VPN into the
> company network before doing the push with SSH rather than exposing
> the SSH daemon to the entire Internet.
>
> in the medium term, if the git-over-http gets finished, I would like
> to see a seperate cgi created to allow push as well. http is overused
> as a tunneling protocol, but it's easy to setup a server that can't do
> anything except what you want, so this tunneling is generally not a
> threat to servers (it's a horrible threat to client systems)
>
> David Lang
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to [hidden email]
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

David Lang
On Sun, 14 Dec 2008, martin wrote:

> Dear David.
> Why do you trust VPN more than the SSH?
> I ask because I have just removed the "first VPN then SSH" solution in favor
> for a SSH only solution using Gitosis just to get rid of the VPN which I
> believe is less secure than SSH (well until I read you comments below).
> I thought I was doing something right for once but maybe I'm not?
> Thanks and best regards
> Martin

in part it's that a VPN is a single point of control for all remote
access.

If you use ssh you end up exposing all the individual machines

1. data leakage of just what machines exist to possibly hostile users.

2. the many machines are configured seperatly, frequently by different
people. this makes it far more likely that sometime some machine will get
misconfigured.

3. people who are focused on providing features have a strong temptation
to cut corners and just test that the feature works and not test that
everything that isn't supposed to work actually doesn't work. as a
result, in many companies there is a deliberate seperation (and tension)
between a group focused on controlling and auditing access and one that is
focused on creating fucntionality and features.

also from a polical/social point of view everyone recognises that if you
grant someone VPN access you are trusting them, but people don't seem to
think the same way with ssh.

David Lang

> [hidden email] wrote:
>> this is really a reply to an earlier message that I deleted.
>>
>> the question was asked 'what would the security people like instead of SSH'
>>
>> as a security person who doesn't like how ssh is used for everything, let
>> me list a couple of concerns.
>>
>> ssh is default allow (it lets you run any commands), you can lock it down
>> with effort.
>>
>> ssh defaults to establishing a tunnel between machines that other network
>> traffic can use to bypass your system. yes I know that with enough effort
>> and control of both systems you can tunnel over anything, the point is that
>> ssh is eager to do this for you (overly eager IMHO)
>>
>> ssh depends primarily on certificates that reside on untrusted machines. it
>> can be made to work with tokens or such, but it takes a fair bit of effort.
>>
>> sshd runs as root on just about every system
>>
>> people trust ssh too much. they tend to think that anything is acceptable
>> if it's done over ssh (this isn't a technical issue, but it is a social
>> issue)
>>
>>
>> what would I like to see in an ideal world?
>>
>> something that runs as the git user, does not enable tunneling, and only
>> does the data transfer functions needed for a push. it should use
>> off-the-shelf libraries for certificate authentication and tie into PAM for
>> additional authentication.
>>
>> the authentication would not be any better than with SSH, but the rest
>> would be better. I was very pleased to watch the git-daemon development,
>> and the emphisis on it running with minimum privilages and provide just the
>> functionality that was needed, and appropriately assuming that any
>> connection from the outside is hostile until proven otherwise.
>>
>>
>> what would I do with current tools?
>>
>> I would say that developers working from outside should VPN into the
>> company network before doing the push with SSH rather than exposing the SSH
>> daemon to the entire Internet.
>>
>> in the medium term, if the git-over-http gets finished, I would like to see
>> a seperate cgi created to allow push as well. http is overused as a
>> tunneling protocol, but it's easy to setup a server that can't do anything
>> except what you want, so this tunneling is generally not a threat to
>> servers (it's a horrible threat to client systems)
>>
>> David Lang
>> --
>> To unsubscribe from this list: send the line "unsubscribe git" in
>> the body of a message to [hidden email]
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to [hidden email]
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

Jakub Narębski
In reply to this post by David Lang
[hidden email] writes:

> this is really a reply to an earlier message that I deleted.
>
> the question was asked 'what would the security people like instead of
> SSH'
>
> as a security person who doesn't like how ssh is used for everything,
> let me list a couple of concerns.
>
> ssh is default allow (it lets you run any commands), you can lock it
> down with effort.

How is VPN better than that?
 
> ssh defaults to establishing a tunnel between machines that other
> network traffic can use to bypass your system. yes I know that with
> enough effort and control of both systems you can tunnel over
> anything, the point is that ssh is eager to do this for you (overly
> eager IMHO)

How is VPN better than that?

> ssh depends primarily on certificates that reside on untrusted
> machines. it can be made to work with tokens or such, but it takes a
> fair bit of effort.

There probably VPN differs...

> sshd runs as root on just about every system

And VPN doesn't?

[...]

The idea with using SSH was, I think, that it is easier and better to
use existing solution for authentication and authorization than roll
your own (see the case of CVS pserver, and Subversion svnserve).
--
Jakub Narebski
Poland
ShadeHawk on #git
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

Jakub Narębski
In reply to this post by Sitaram Chamarty
Sitaram Chamarty <[hidden email]> writes:
> On 2008-12-13, Nix <[hidden email]> wrote:

> > telnet. I do not jest, this is our sysadmins' stated reasons for not
> > opening the git port and for tweaking their (mandatory) HTTP proxy to
> > block HTTP traffic from git.
>
> Wow -- my sympathies!
>
> But on occasion, when real or imaginary issues prevented me
> from making a live connection, I have used "git bundle" to
> do the job.  Not as satisfactory as a real connection, but
> when you have a proper, non-fast-forwarding, repo as the
> "mother ship", git bundle with some custom procmail scripts
> on both sides can work OK enough.

Perhaps one would be interested in adding bundle support to gitweb.
The problem is in the interface, but I think in simplest case gitweb
could present 'bundle' link along snapshot link(s) in the 'heads' view
(showing branches), which link would generate bundle for a given
branch, starting from latest annotated tag.  But this is only for
download...
 
Another solution would be to help with "smart" HTTP protocol,
i.e. git-over-http solution.  This would hopefully change signature so
at least for some time it would pas proxy filters.  Also only for
download.


BTW. is outgoing SSH transport (from network to outside) blocked as
well?
--
Jakub Narebski
Poland
ShadeHawk on #git
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

Jakub Narębski
In reply to this post by David Lang
[hidden email] writes:

> On Sun, 14 Dec 2008, martin wrote:
>
> > Dear David.
> > Why do you trust VPN more than the SSH?
> > I ask because I have just removed the "first VPN then SSH" solution
> > in favor for a SSH only solution using Gitosis just to get rid of
> > the VPN which I believe is less secure than SSH (well until I read
> > you comments below).
> > I thought I was doing something right for once but maybe I'm not?
> > Thanks and best regards
> > Martin
>
> in part it's that a VPN is a single point of control for all remote
> access.
>
> If you use ssh you end up exposing all the individual machines
>
> 1. data leakage of just what machines exist to possibly hostile users.

Errr... what? One of established practices is expose only _one_
machine to outside; you have to SSH to gateway.
 
> 2. the many machines are configured seperatly, frequently by different
> people. this makes it far more likely that sometime some machine will
> get misconfigured.

See above.

> 3. people who are focused on providing features have a strong
> temptation to cut corners and just test that the feature works and not
> test that everything that isn't supposed to work actually doesn't
> work. as a result, in many companies there is a deliberate seperation
> (and tension) between a group focused on controlling and auditing
> access and one that is focused on creating fucntionality and features.

And that differs from VPN in what way?

> also from a polical/social point of view everyone recognises that if
> you grant someone VPN access you are trusting them, but people don't
> seem to think the same way with ssh.

Errr... what?  I think everybody knows that unrestricted SSH access
(without limiting done by shell used) means that you trust user.

--
Jakub Narebski
Poland
ShadeHawk on #git
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

Martin Pettersson
In reply to this post by David Lang


[hidden email] wrote:

> On Sun, 14 Dec 2008, martin wrote:
>
>> Dear David.
>> Why do you trust VPN more than the SSH?
>> I ask because I have just removed the "first VPN then SSH" solution
>> in favor for a SSH only solution using Gitosis just to get rid of the
>> VPN which I believe is less secure than SSH (well until I read you
>> comments below).
>> I thought I was doing something right for once but maybe I'm not?
>> Thanks and best regards
>> Martin
>
> in part it's that a VPN is a single point of control for all remote
> access.
>
> If you use ssh you end up exposing all the individual machines
>
> 1. data leakage of just what machines exist to possibly hostile users.
>
> 2. the many machines are configured seperatly, frequently by different
> people. this makes it far more likely that sometime some machine will
> get misconfigured.
>
> 3. people who are focused on providing features have a strong
> temptation to cut corners and just test that the feature works and not
> test that everything that isn't supposed to work actually doesn't
> work. as a result, in many companies there is a deliberate seperation
> (and tension) between a group focused on controlling and auditing
> access and one that is focused on creating fucntionality and features.
>
> also from a polical/social point of view everyone recognises that if
> you grant someone VPN access you are trusting them, but people don't
> seem to think the same way with ssh.
>
> David Lang
>

I opened port 22 in the firewall to just those hosts that I need to
reach, which is one in this case...the rest of the machines I cannot reach.
I did a brief port scan and the thing is silent... so I don't think I
reveal any of the other hosts... but I should not say is it's secure
with your measures...

Your point two I don't understand...   If you are in charge of the
firewall you also know what machines you let people reach. If these
machines are numerous then I think there is a management problem
somewhere else...


Point 3 is correct but I fail to see how this is less of a problem with
VPN than SSH.

Thanks and Best regards
Martin

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

Sitaram Chamarty
In reply to this post by David Lang
On 2008-12-14, [hidden email] <[hidden email]> wrote:
> On Sun, 14 Dec 2008, martin wrote:
>> Why do you trust VPN more than the SSH?
> in part it's that a VPN is a single point of control for all remote
> access.
>
> If you use ssh you end up exposing all the individual machines

Need not be true.  None of my internal servers aer even
accessible from the outside world; they're all in RFC1918
space and there's only one gateway.  This *is* my single
point of control.

I can setup different port numbers to forward to different
internal servers (ssh, http, whatever I wish); that may
sound like a form of "exposing" but in reality it's a lot
*more* restrictive than setting up a VPN and granting access
to it.

I actually don't like VPNs; they imply that you're "inside"
the network in some way, and I hate blurring that
distinction.  If I'm outside, I want to be acutely aware of
it, and the fact that I can't even ping one of the inside
hosts or see what's on it, or do anything other than what is
specifically allowed by the gateway, is one way of ensuring
this.

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

David Lang
In reply to this post by Jakub Narębski
On Sun, 14 Dec 2008, Jakub Narebski wrote:

> [hidden email] writes:
>
>> this is really a reply to an earlier message that I deleted.
>>
>> the question was asked 'what would the security people like instead of
>> SSH'
>>
>> as a security person who doesn't like how ssh is used for everything,
>> let me list a couple of concerns.
>>
>> ssh is default allow (it lets you run any commands), you can lock it
>> down with effort.
>
> How is VPN better than that?
>
>> ssh defaults to establishing a tunnel between machines that other
>> network traffic can use to bypass your system. yes I know that with
>> enough effort and control of both systems you can tunnel over
>> anything, the point is that ssh is eager to do this for you (overly
>> eager IMHO)
>
> How is VPN better than that?
>
>> ssh depends primarily on certificates that reside on untrusted
>> machines. it can be made to work with tokens or such, but it takes a
>> fair bit of effort.
>
> There probably VPN differs...
>
>> sshd runs as root on just about every system
>
> And VPN doesn't?

you aren't having the VPN software running commands passed to it by the
outside world.

> [...]
>
> The idea with using SSH was, I think, that it is easier and better to
> use existing solution for authentication and authorization than roll
> your own (see the case of CVS pserver, and Subversion svnserve).

I'm not saying that it's good to roll your own from scratch, you need to
use libraries that have been examined and validated, but SSH is a swiss
army knife, it's designed to do lots of things, and when you are exposing
things to the outside world you want them to be as limited as possible to
limit the damage that they can do.

David Lang
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

David Lang
In reply to this post by Jakub Narębski
On Sun, 14 Dec 2008, Jakub Narebski wrote:

> [hidden email] writes:
>> On Sun, 14 Dec 2008, martin wrote:
>>
>>> Dear David.
>>> Why do you trust VPN more than the SSH?
>>> I ask because I have just removed the "first VPN then SSH" solution
>>> in favor for a SSH only solution using Gitosis just to get rid of
>>> the VPN which I believe is less secure than SSH (well until I read
>>> you comments below).
>>> I thought I was doing something right for once but maybe I'm not?
>>> Thanks and best regards
>>> Martin
>>
>> in part it's that a VPN is a single point of control for all remote
>> access.
>>
>> If you use ssh you end up exposing all the individual machines
>>
>> 1. data leakage of just what machines exist to possibly hostile users.
>
> Errr... what? One of established practices is expose only _one_
> machine to outside; you have to SSH to gateway.

that works for sysadmin access to a box, it doesn't work for git push
(unless that box also happens to be your git repository). multiply by a
few dozen different applications that all take the attitude 'just us SSH
and you are secure' and you end up with a bunch of machines that _have_ to
be exposed via SSH.

>> 2. the many machines are configured seperatly, frequently by different
>> people. this makes it far more likely that sometime some machine will
>> get misconfigured.
>
> See above.
>
>> 3. people who are focused on providing features have a strong
>> temptation to cut corners and just test that the feature works and not
>> test that everything that isn't supposed to work actually doesn't
>> work. as a result, in many companies there is a deliberate seperation
>> (and tension) between a group focused on controlling and auditing
>> access and one that is focused on creating fucntionality and features.
>
> And that differs from VPN in what way?

the VPN is typically (but not always) run by the group who is focused on
controlling and auditing access.

>> also from a polical/social point of view everyone recognises that if
>> you grant someone VPN access you are trusting them, but people don't
>> seem to think the same way with ssh.
>
> Errr... what?  I think everybody knows that unrestricted SSH access
> (without limiting done by shell used) means that you trust user.

you would be surprised.

I'm not saying that SSH is bad for all uses by any means. I'm responding
to the people who seemd to be thinking that anyone who didn't like the
'use SSH' option are luddites and just don't know what they are doing.
different networks can have different stances and all be right (for their
environment)

David Lang
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

David Lang
In reply to this post by Martin Pettersson
On Sun, 14 Dec 2008, martin wrote:

> [hidden email] wrote:
>> On Sun, 14 Dec 2008, martin wrote:
>>
>>> Dear David.
>>> Why do you trust VPN more than the SSH?
>>> I ask because I have just removed the "first VPN then SSH" solution in
>>> favor for a SSH only solution using Gitosis just to get rid of the VPN
>>> which I believe is less secure than SSH (well until I read you comments
>>> below).
>>> I thought I was doing something right for once but maybe I'm not?
>>> Thanks and best regards
>>> Martin
>>
>> in part it's that a VPN is a single point of control for all remote access.
>>
>> If you use ssh you end up exposing all the individual machines
>>
>> 1. data leakage of just what machines exist to possibly hostile users.
>>
>> 2. the many machines are configured seperatly, frequently by different
>> people. this makes it far more likely that sometime some machine will get
>> misconfigured.
>>
>> 3. people who are focused on providing features have a strong temptation to
>> cut corners and just test that the feature works and not test that
>> everything that isn't supposed to work actually doesn't work. as a result,
>> in many companies there is a deliberate seperation (and tension) between a
>> group focused on controlling and auditing access and one that is focused on
>> creating fucntionality and features.
>>
>> also from a polical/social point of view everyone recognises that if you
>> grant someone VPN access you are trusting them, but people don't seem to
>> think the same way with ssh.
>>
>> David Lang
>>
>
> I opened port 22 in the firewall to just those hosts that I need to reach,
> which is one in this case...the rest of the machines I cannot reach.
> I did a brief port scan and the thing is silent... so I don't think I reveal
> any of the other hosts... but I should not say is it's secure with your
> measures...
>
> Your point two I don't understand...   If you are in charge of the firewall
> you also know what machines you let people reach. If these machines are
> numerous then I think there is a management problem somewhere else...

two things here

1. if you are running multiple different applications that all want to be
exposed via port 22 (like git for 'git push') then you may need to expose
numerous machines. tools that use SSH don't tend to have the ability to
use a gateway box before they start executing commands, they assume that
you will SSH directly into the destination box.

2. many people take the attitude that SSH is secure, period, end of
statement. so they think that every machine should be able to be contacted
via SSH, and you can then use SSH to do any other functionality on any
machine that you can dream up. a small minority of people try to minimize
what boxes are exposed directly (you are one of them), but most don't

David Lang

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: is gitosis secure?

nix-2-3
In reply to this post by Jakub Narębski
On 14 Dec 2008, Jakub Narebski spake thusly:
> BTW. is outgoing SSH transport (from network to outside) blocked as
> well?

*No* ports are open. All they have is a (non-transparent) buggy HTTP
proxy. These guys really don't get the Internet, despite their sales
literature banging on endlessly about it.

Looks like a lot of git-bundling is in my future.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
123