[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Running multiple CVS instances
Mark D. Baushke
Re: Running multiple CVS instances
Tue, 10 Aug 2004 09:10:57 -0700
-----BEGIN PGP SIGNED MESSAGE-----
mat bike <address@hidden> writes:
> We have a colleague working on another company that has tight firewall
> that only allows few ports open. Unfortunately, CVS port is not one
> of them (and they don't want to allow it).
Okay, it seems that the company administrators have the same low view of
port 2401 as I do. They will not thank you if you give their users
access to cvs on some other ephemeral port number for outbound
> We figured that we can bind another instance of CVS pserver to a port
> they permit traffice on and change our colleague's script to use this
> alternate port. From my initial testing, this seems working (at
> least, I can start multiple instances of CVS).
Yes, this approach will likely work. You should be able to configure
your [x]inetd server to listen on as many ports as you wish for
:pserver: cvs connections and it will work fine. The cvs server does not
actually know anything about the port used to connect to it.
> Question is, how safe is this??
It is no more or less safe than using :pserver: on port 2401. Of course,
putting it on another port may invite hackers who believe it to be
another service than CVS...
fwiw: I can not ever recommend keeping :pserver: open directly to the
internet. Errors have been found in the past which could have allowed
exploits to be run to get a shell running as root via :pserver: mode of
cvs. A wise administrator will do their best to avoid opening their
servers to root exploits thru systems that have been considered unsafe
in the past.
> Will this cause any harm to our repository?
Or rather, if only honest people open connections to your server, then
you have no problems.
The cvs protocol does not care about the origin of the server-side
connection of cvs. You can have as many methods active at the same time
as you wish and as many people connecting as your inetd or sshd will
allow and it will not harm the cvs repository (modulo bugs in cvs which
have not yet been found of course :-).
> Any thoughts? Suggestions?
I recommend that you move to using :ext: mode in conjunction with
CVS_RSH=ssh and provide restricted SSH logins for all users of your CVS
repository directly on the server machine.
If that is not possible, you might be able to setup a SSH tunnel account
that will allow you to tunnel port 2401 to the remote machine. This will
add an extra authentication hurdle so that only authorized users can try
to attack your :pserver: CVS server.
If the other company does not allow outbound port 22 connections, then
it is possible to run SSH on ports other than 22. However, you really
should let the security folks in the other company understand the
business cases involved and work with them to get a secure connection to
your CVS server. Perhaps they would want to set up a VPN tunnel between
your two companies or some other approach to avoid external attacks on
an established connection... paranoia may be inconvenient, but they may
have a better understanding of the risks that exist for their hosts than
you do. Work with them, not around them.
PS: Yes, I am serious. I do not believe that CVS administrators should
use :pserver: mode for anything under any circumstances. If you MUST use
it, then only use it in LAN environment that is totally secure and has
no ability to have worms or virus infections on machines on that LAN.
That is, only where there are no machines that may be compromised that
could be used to attack your server. As this is normally not possible,
you should just avoid using :pserver:, or be willing to take the risks
associated with having your CVS server owned by an attacker.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
-----END PGP SIGNATURE-----