[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Remote cvs and security

From: Jonah Tsai
Subject: RE: Remote cvs and security
Date: Tue, 11 Sep 2001 03:20:47 -0400
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; m18) Gecko/20010131 Netscape6/6.01

From: "Colin Bester" <address@hidden> <mailto:address@hidden>
To: "'CVS-II Discussion Mailing List'" <address@hidden> <mailto:address@hidden>
Subject: RE: Remote cvs and security
Date: Mon, 10 Sep 2001 19:37:23 -0500
Organization: AIONET Inc

Greg, I would like to know what alternatives you are referring to.

The alternative, although it might not be what Greg is refering to, is GSSAPI (aka. gserver in CVS). For the time being, GSSAPI supports only Kerberos (although SUN's implementation does have Diffe-Hellman...). All passwords are sent encrypted, with optional encrypted content. Note that gserver is natively supported by CVS. However, I cannot find any binaries pre-compiled with GSSAPI. You have to compile it yourself.

If you don't want to go through the trouble of setting up Kerberos, then go for SSH, like almost everybody does.

The way I understand it is that all passwords used between client and
pserver are sent in clear text and as such irrespective of what you do,
it would be very easy to listen in on these and gain access to the
software files.

While cvs might have been designed for free source development and some
of us even agree with it, we don't always have this freedom of choice
and need to protect our data.

I am pretty new to these aspects as I have always worked in a closed and
'safe' environment and now find myself at the other end of the spectrum.

I would really appreciate some comments on what the correct steps would
be to secure this link.

Quick and dirty -- SSH, up in 10 minutes.
Spend a lot of time and have loads of fun (or pain) -- Kerberos (gserver).

Anything TCP can be tunnel'd (or port-forward in SSH terminology) through SSH. Lucky that CVS uses TCP. It works, but it's somehow hackish, because SSH is a peer-to-peer authentication/encryption mechanism such that management is on per host basis. Kerberos is a centralized authentication mechanism. Both have their advantages and disadvantages, pick whatever suites your needs.

One dumb rule of thumb -- if you only have a handful of users, go SSH because the pain Kerberos causes ain't worth it; if you have a lot of usres, in the order of hundreds, go Kerberos. Anything in between, take your favorite, most likely your boss won't know the difference as long as your argument is logical and convincing.

If you are paranoid about security, forget about pserver...

Jonah Tsai


reply via email to

[Prev in Thread] Current Thread [Next in Thread]