Re: :ext: , ssh :pserver: relation question

[Mark D. Baushke]

Ronald Petty <address@hidden> writes:

> Could someone explain the difference between using :ext: (with
> CVS_RSH=ssh) over using pserver and having tcpwrapper listen on 2401?
> 
> Why would one do either over the other?
> Ron

With ssh, you are using strong authentication and there is no
possibility that someone else will be able to utilize any possible
security holes in cvs to spoof being someone else on your server
machine.

With pserver, your password is kept in a trivially obscured token in a
$HOME/.cvspass file and sent over the network in the clear. Once you
have connected to the 2401 server which is typically running as root you
run the possibility that someone will have found an exploit in cvs to
either become root on your server machine or to become someone else on
your server machine than was intended.

Use your favorite search engine and look for the keywords:

  cvs pserver security

for examples that have arisen in the past and realize that it is possible
that other bugs still exist.

If the problem is that you need anonymous CVS access, you may wish to
look at the following link:

Anonymous CVS access via ssh
http://www.kitenet.net/programs/sshcvs/

I know that a number of folks have already talked about security issues
and CVS. I suggest you read the "Linux security issues as they pertain
to CVS" thread that starts here:

  http://mail.gnu.org/archive/html/info-cvs/2001-05/msg00935.html

if you need/want more background on security.

        Enjoy!
        -- Mark