Integrity protection of fetches
Mike McGrath
mmcgrath at redhat.com
Thu Aug 5 21:32:36 UTC 2010
On Thu, 5 Aug 2010, Till Maas wrote:
> On Thu, Aug 05, 2010 at 01:11:24PM -0600, Kevin Fenzi wrote:
> > On Wed, 04 Aug 2010 22:03:14 +0200
> > Till Maas <opensource at till.name> wrote:
>
> > > The attack is quite trivial:
> > > 1) clone the git pkg Fedora repos
> > > 2) commit some nasty change
> > > 3) publish the repo on some server
> > > 4) if the victim wants to fetch from the Fedora pkg repo, use the MITM
> > > attack to make him fetch from the server set up in step 3. Steps 1-3
> > > can obviously be done on-demand.
> > >
> > > If this is e.g. done on a conference / FUDCon / Fedora Action Day, the
> > > attack can easily targeted to make the change in step 2 be expected to
> > > be fast forward. E.g. if packages simply need to be bumped for a
> > > rebuild, a upload of a bad tarball and modification of the sources
> > > file might be unnoticed.
> >
> > Just to clarify, as this is a long thread:
> >
> > This only works if people are using git:// urls, not the default for
> > fedora ssh: ones, right? (provided you have connected before to
> > pkgs.fedoraproject.org and have the known_hosts entry?)
>
> Yes ssh is secure if used properly. To get the proper known_hosts entry,
> one has to download https://admin.fedoraproject.org/ssh_known_hosts btw.
>
We also use SSHFP records for those of you that want to enable
VerifyHostKeyDNS yes in their ~/.ssh/config files. Not all of our hosts
have it but many of our 'user' based external hosts do (pkgs,
fedorapeople, fedorahosted, etc)
-Mike
More information about the devel
mailing list