[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Remote cvs and security
From: |
Jonah Tsai |
Subject: |
RE: Remote cvs and security |
Date: |
Tue, 11 Sep 2001 03:20:47 -0400 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; m18) Gecko/20010131 Netscape6/6.01 |
From: "Colin Bester" <address@hidden> <mailto:address@hidden>
To: "'CVS-II Discussion Mailing List'" <address@hidden> <mailto:address@hidden>
Subject: RE: Remote cvs and security
Date: Mon, 10 Sep 2001 19:37:23 -0500
Organization: AIONET Inc
Greg, I would like to know what alternatives you are referring to.
The alternative, although it might not be what Greg is refering to, is
GSSAPI (aka. gserver in CVS). For the time being, GSSAPI supports only
Kerberos (although SUN's implementation does have Diffe-Hellman...). All
passwords are sent encrypted, with optional encrypted content. Note that
gserver is natively supported by CVS. However, I cannot find any
binaries pre-compiled with GSSAPI. You have to compile it yourself.
If you don't want to go through the trouble of setting up Kerberos, then
go for SSH, like almost everybody does.
The way I understand it is that all passwords used between client and
pserver are sent in clear text and as such irrespective of what you do,
it would be very easy to listen in on these and gain access to the
software files.
While cvs might have been designed for free source development and some
of us even agree with it, we don't always have this freedom of choice
and need to protect our data.
I am pretty new to these aspects as I have always worked in a closed and
'safe' environment and now find myself at the other end of the spectrum.
I would really appreciate some comments on what the correct steps would
be to secure this link.
Quick and dirty -- SSH, up in 10 minutes.
Spend a lot of time and have loads of fun (or pain) -- Kerberos (gserver).
Anything TCP can be tunnel'd (or port-forward in SSH terminology)
through SSH. Lucky that CVS uses TCP. It works, but it's somehow
hackish, because SSH is a peer-to-peer authentication/encryption
mechanism such that management is on per host basis. Kerberos is a
centralized authentication mechanism. Both have their advantages and
disadvantages, pick whatever suites your needs.
One dumb rule of thumb -- if you only have a handful of users, go SSH
because the pain Kerberos causes ain't worth it; if you have a lot of
usres, in the order of hundreds, go Kerberos. Anything in between, take
your favorite, most likely your boss won't know the difference as long
as your argument is logical and convincing.
If you are paranoid about security, forget about pserver...
Jonah Tsai
<mailto:address@hidden>
Re: Remote cvs and security, David Fuller, 2001/09/10
- RE: Remote cvs and security,
Jonah Tsai <=