Re: CVS & SSL

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS & SSL

From:	Derek R. Price
Subject:	Re: CVS & SSL
Date:	Wed, 23 May 2001 10:30:22 -0400

"Greg A. Woods" wrote:

> [ On Tuesday, May 22, 2001 at 00:44:41 (-0400), Derek R. Price wrote: ]
> > Subject: Re: CVS & SSL
> >
> > > Why does this have to be made so "difficult"?
> >
> > Writing an RSH wrapper was my first idea.  It turned out to be difficult 
> > because
> > CVS expects RSH to handle the 'setuid' in this case.  This code will tunnel 
> > an actual
> > pserver connection with all that entails.
>
> OH!  "Pserver!"  I see.   But that begs the question!  Why bother?
> Seems silly to me to make a pserver connection "secure" when you can't
> make pserver itself "secure".  There's no net gain in security.

Yes there is.  The connection can no longer be sniffed.  Stealing a user's 
password would
now require access to the user's machine to read the .cvspass file.


> However if you insist on going down this silly road, why not just run an
> stunnel "server", just like one would do with ssh, and simply tell the
> CVS client that your repository is ":pserver:address@hidden:/cvsroot"?
> Seems like the only obvious way to go if you ask me....

Because this works without setting up a permanent tunnel.  That's one less step 
of
overhead involved in connecting.  Your typical user doesn't want to worry about
establishing a tunnel.  They want their client to connect.


> Hacks to CVS itself are most definitely unnecessary.

Hacks are always unecessary.  This one happens to be somewhat useful, simple, 
and fits
tidily in with the existing code.  Besides, the pserver operation can now be 
tested
locally (except for the tcp code, which wasn't being tested anyhow) by shoving 
'cvs
--allow-root=... pserver' in as the "socket provider".  I have my entire 
sanity.sh script
running that way with only a few modifications.  This is also useful.

Derek

--
Derek Price                      CVS Solutions Architect ( http://CVSHome.org )
mailto:address@hidden         CollabNet ( http://collab.net )
--
I will not buy a presidential pardon.
I will not buy a presidential pardon.
I will not buy a presidential pardon...

        - Bart Simpson on chalkboard, _The Simpsons_

[Prev in Thread]

Current Thread

[Next in Thread]

CVS & SSL, Derek R. Price, 2001/05/21
- Re: CVS & SSL, Derek R. Price, 2001/05/21
  - Re: CVS & SSL, Greg A. Woods, 2001/05/22
    - Re: CVS & SSL, Derek R. Price, 2001/05/22
    - Re: CVS & SSL, Greg A. Woods, 2001/05/22
    - Re: CVS & SSL, Derek R. Price <=
    - Re: CVS & SSL, Greg A. Woods, 2001/05/23
    - Re: CVS & SSL, Derek R. Price, 2001/05/23
    - Re: CVS & SSL, Greg A. Woods, 2001/05/23
    - Re: CVS & SSL, Derek R. Price, 2001/05/24
    - Re: CVS & SSL, Derek R. Price, 2001/05/24
    - Re: CVS & SSL, Greg A. Woods, 2001/05/24
    - Re: CVS & SSL, Derek R. Price, 2001/05/24
    - Re: CVS & SSL, Greg A. Woods, 2001/05/31
    - Re: CVS & SSL, Greg A. Woods, 2001/05/31
    - Re: CVS & SSL, Derek R. Price, 2001/05/31

Prev by Date: -f option to pserver / secure pserver
Next by Date: Re: Help....
Previous by thread: Re: CVS & SSL
Next by thread: Re: CVS & SSL
Index(es):
- Date
- Thread