[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ANN: cvssh - secure ext-to-pserver bridge

From: David A. Desrosiers
Subject: Re: ANN: cvssh - secure ext-to-pserver bridge
Date: Thu, 21 Feb 2002 18:44:19 -0800 (PST)

> There have been lots of descriptions of how to do this posted to this
> list in the past.  I suggest you research and/or

        Descriptions, with absolutely no working solution. Do you get the
full depth of a book by reading just the 'Foreward'? I have seen these
various methods, and they are garbage. All of the tunneling, ssh'ing,
wrapping, chrooting scripts which do nothing but open yet more holes in an
already secure system. No thanks.

> You might also find suggestions about how to do anonymous read-only SSH
> access to CVS in some NetBSD-related forums -- NetBSD has such as
> service running now for their source repo.

        I know how to do anonymous read-only ssh, and it actually involves
nothing other than SSH itself (well, and sshd). NetBSD's implementation uses
a wrapper, which.. ta-da, is exploitable, since you can break through it by
killing the child process during the fork. It's been explained in many tomes
before, do not fork off children if you intend your application to be

> Note that regardless of how you provide anonymous read-only access it
> should undoubtably be done on a separate machine with a separate copy of
> the repository.  Do not trust mixed anonymous read-only access and
> commit access to the same files!

        And how, praytell, do you get those files sync'd back to the main
repository? Or are you suggesting forking the entire project each time
there's a commit? Sort of ruins the whole purpose of cvs, doesn't it?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]