[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security concern CVSROOT
From: |
Derek R. Price |
Subject: |
Re: Security concern CVSROOT |
Date: |
Sat, 28 Oct 2000 02:16:42 -0400 |
Martin Vogt wrote:
> 1. Authorisation
> ----------------
>
> The authoriatsion mechanism. Currently the client sends
> cvsroot,username,password
> in one single command.
>
> If a setuid wrapper, like cvsauth gets such a request,
> the user sends his clear text password if he accidently
> type :pserver insteas of :sslserver
Well, if you're daring enough to grab the dev version you can redirect
the port CVS is accessing, so localhost:33333 or something is unlikely
to send cleartext passwords anywhere unless you have your tunnel up.
Alternately, you could only allow ssh access (using :ext: and setting
CVS_RSH=ssh), then you don't have to trust the user not to try and use
pserver, but you have to allow the user an ssh shell on the server.
Derek
--
Derek Price CVS Solutions Architect ( http://CVSHome.org )
mailto:address@hidden OpenAvenue ( http://OpenAvenue.com )
--
Information is the currency of democracy.
- Thomas Jefferson