On Thu, 5 Aug 2010, Till Maas wrote:
On Thu, Aug 05, 2010 at 01:11:24PM -0600, Kevin Fenzi wrote:
> On Wed, 04 Aug 2010 22:03:14 +0200
> Till Maas <opensource(a)till.name> wrote:
> > The attack is quite trivial:
> > 1) clone the git pkg Fedora repos
> > 2) commit some nasty change
> > 3) publish the repo on some server
> > 4) if the victim wants to fetch from the Fedora pkg repo, use the MITM
> > attack to make him fetch from the server set up in step 3. Steps 1-3
> > can obviously be done on-demand.
> >
> > If this is e.g. done on a conference / FUDCon / Fedora Action Day, the
> > attack can easily targeted to make the change in step 2 be expected to
> > be fast forward. E.g. if packages simply need to be bumped for a
> > rebuild, a upload of a bad tarball and modification of the sources
> > file might be unnoticed.
>
> Just to clarify, as this is a long thread:
>
> This only works if people are using git:// urls, not the default for
> fedora ssh: ones, right? (provided you have connected before to
>
pkgs.fedoraproject.org and have the known_hosts entry?)
Yes ssh is secure if used properly. To get the proper known_hosts entry,
one has to download
https://admin.fedoraproject.org/ssh_known_hosts btw.
We also use SSHFP records for those of you that want to enable
VerifyHostKeyDNS yes in their ~/.ssh/config files. Not all of our hosts
have it but many of our 'user' based external hosts do (pkgs,
fedorapeople, fedorahosted, etc)
-Mike