info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Accessing the repository via Internet


From: Kaz Kylheku
Subject: Re: Accessing the repository via Internet
Date: Tue, 16 Jul 2002 11:04:37 -0700 (PDT)

On Tue, 16 Jul 2002, Mike Ayers wrote:

> Helmut Mucker wrote:
> 
> > Is there a way to access our corporate repository
> > from the Internet? Our security policy prohibits
> > direct connections from the Internet to the
> > CVS-Server.
> 
>       ACK!  Haven't they heard of ssh?

I'm sure they have; however, using ssh requires opening up a
port from the DMZ to their internal network. In the minds of the
super-paranoid, this introduces the risk of someone exploiting a
security hole in ssh.

I think that if you combine ssh with host-based access control, and
ensure that you only allow crypto authentication, you really have
nothing to worry about. 

In other words, open the ssh port only for packets that are coming from
certain IP addresses or networks.

> > Can it be done using a ssh-proxy in the DMZ
> > or something else?
> 
>       It *can*...
> 
>       However, since the stock response you will get on this issue will be 
> "use ssh, 
> that's what it's for", you may find that no prewritten proxy exists.  I would 
> not expect one, certainly.

What you can do is nest two ssh connections. You see, you can use ssh
to tell one machine to execute a command on a third machine using ssh.

    ssh dmz-host 'ssh secure-host command'

With ssh-agent forwarding, it should work. Anyway, it's worth
investigating this ``proxy'' scheme.

-- 
Meta-CVS: solid version control tool with directory structure versioning. 
http://users.footprints.net/~kaz/mcvs.html  http://freshmeat.net/projects/mcvs




reply via email to

[Prev in Thread] Current Thread [Next in Thread]