From: Petr Baudis <pasky@suse.cz>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: Git Mailing List <git@vger.kernel.org>
Subject: Re: The git protocol and DoS
Date: Thu, 20 Oct 2005 00:20:44 +0200 [thread overview]
Message-ID: <20051019222044.GP30889@pasky.or.cz> (raw)
In-Reply-To: <4356A5C5.5080905@zytor.com>
Dear diary, on Wed, Oct 19, 2005 at 10:00:05PM CEST, I got a letter
where "H. Peter Anvin" <hpa@zytor.com> told me that...
> One way to do this would be to start the transaction by having the
> server transmit a cookie to the client, and to require the client to
> send a SHA1 of the (cookie + request) together with the request. This
> would be done with a fairly short timeout.
If (well, it sounds like a good idea, so rather "when") you do this,
it would be a good idea to do in a way that makes it easy to later add
support for some kind of authentication (really, not everyone wants to
give away ssh accounts). Let's say it works like:
[client] git-upload-pack <path>
[server] challenge somethingnonsensical
[client] challenge-response <username>:sha1(somethingnonsensical<password>)
[server] All right, the pack goes like this...
Suddenly you have support for hopefully secure authentication, and at
the same time you have the cookie implemented in backwards-compatible
fashion (in the sense that new client will be able to talk to old
server) - just assume the username and password empty. This might be
even hardcoded for now, just leave a room for its addition (in an
elegant and compatible way) in the protocol, please.
Thanks,
--
Petr "Pasky" Baudis
Stuff: http://pasky.or.cz/
VI has two modes: the one in which it beeps and the one in which
it doesn't.
next prev parent reply other threads:[~2005-10-19 22:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-19 20:00 The git protocol and DoS H. Peter Anvin
2005-10-19 20:50 ` Junio C Hamano
2005-10-19 20:55 ` H. Peter Anvin
2005-10-19 21:06 ` Junio C Hamano
2005-10-19 21:59 ` H. Peter Anvin
2005-10-19 21:31 ` Linus Torvalds
2005-10-19 21:54 ` Junio C Hamano
2005-10-19 22:01 ` H. Peter Anvin
2005-10-19 22:20 ` Petr Baudis [this message]
2005-10-19 22:39 ` Tony Luck
2005-10-20 0:20 ` David Brown
2005-10-20 8:16 ` Andreas Ericsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051019222044.GP30889@pasky.or.cz \
--to=pasky@suse.cz \
--cc=git@vger.kernel.org \
--cc=hpa@zytor.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).