OSCommerce Product Manager

OSCommerce Product Manager for Windows
Tasklist

FS#194 - PLink wait for user input if the key fingerprint is unknown.

Attached to Project: OSCommerce Product Manager
Opened by Mario A. Valdez-Ramirez (mvaldez) - Saturday, 21 May 2005, 08:59 GMT-6
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Saturday, 21 May 2005, 09:15 GMT-6
Task Type Bug Report
Category Backend / Core
Status Closed
Assigned To Mario A. Valdez-Ramirez (mvaldez)
Operating System All
Severity Medium
Priority Urgent
Reported Version any
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

The first time the user attempt to establish a SSH tunnel with PLink, the plink program will display a message to the user explaining that the fingerprint of the remote server is not known, and if it should store it in the Registry or not.

The OSCPMWin application currently has no way to know if the message is displayed or not. The problem is that the PLink program can just hang there waiting for the user input, and the user is unaware because PLink is hidden when invoked from OSCPMWin.
This task depends upon

Closed by  Mario A. Valdez-Ramirez (mvaldez)
Saturday, 21 May 2005, 09:15 GMT-6
Reason for closing:  
Comment by Mario A. Valdez-Ramirez (mvaldez) - Saturday, 21 May 2005, 09:01 GMT-6

A solution would be to capture the plink output and convert those messages to dialogs where the user can answer. Or where the OSCPMWin application can answer silently.


Or we can rebuild plink to ignore those issues.

Comment by Mario A. Valdez-Ramirez (mvaldez) - Saturday, 21 May 2005, 09:06 GMT-6


This bug is major.

We have rebuild plink. This is the easiest way.

However, we are circunventing four security checkings done by PLink. This is not worst than not using PLink, because the non-secured connection doesn't have anyway to check for the authenticity of the DB server.

However, using SSH may add a level of sense of security that PLink it is not actually providing.

I will close this bug, but will open a new one.


As a note, we have recompiled plink.exe with CygWin. The executable looks 33% bigger. Anything else looks good. To be included in the next release.
Comment by Mario A. Valdez-Ramirez (mvaldez) - Saturday, 21 May 2005, 09:15 GMT-6


Just to clarify, by disabling those security checking, we lose the following:

Authentication (of server): Lost.
Authentication (of client): Preserved.
Integrity: Preserved.
Confidentiality: Preserved.
Non-repudiation (of server): Lost.
Non-repudiation (of client): Lost.


(Non-repudiation is lost because authentication is lost, Authentication + Integrity = Non-repudiation), however, it only applies to the server (the client still cannot deny it made the connection).

Loading...