info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: autentication


From: Carl Brewer
Subject: Re: autentication
Date: Wed, 27 Oct 2004 09:19:07 +1000
User-agent: Mozilla Thunderbird 0.8 (Windows/20040913)

Mark D. Baushke wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gleidson Sá Barreto <address@hidden> writes:


I dont undestand why many people use Pserver if
ext-ssh is more secury.


Either do I.


What is advantages of the Pserver?


I have to assume it is mostly over worked administrators. They can
enable it without needing to setup host accounts for all of their cvs
users.

Not needing to set up user accounts for people using CVS is my reason
for using it, same as for why we use Cyrus imap - we don't
want to give out shell accounts unless we absolutely have to,
and ways to restrict shell users are buggy, insecure and inconsistant
across platforms.

It's not a case of overworked as such*, but not being generous with
permissions that not necessarily trusted users need.


However, they now need to do separate password management and they still
need to maintain unique userids for the cvs commits (well, the feature
branch allows them to use PAM-based authentication if they want to, but
why would a security-minded administrator want yet another application
that could cause an attach against passwords on the system?)

Because attacking passwords to get into a CVS tree is a lot less
risky than getting a shell account and running amok.  This is
why I looked at cvsnt on my UNIX boxes, it offers sserver, which
is pserver over ssl without a load of hackery (and the complications
introduced) on old CVS.


They also need to worry that some future exploit of cvs will be a root
exploit as the cvs pserver stuff starts life out of the inetd
configuration as a 'root' user.

See above re possible shell access.  What's worse, a chrooted CVS
repository, or your whole server?

The only benefit I can see for :pserver: is that it is simpler to grant
anonymous read-only access to a repository. It is still possible to do
given :ext:, but requires a bit more work by an administrator in this
case.

You're not looking very hard.

Carl


* the usual disclaimer about overworked fits here :)

--
=======================
Vivitec Pty. Ltd.
Suite 6, 51-55 City Rd.
Southbank, 3006.
Ph. +61 3 8626 5626
Fax +61 3 9682 1000
=======================




reply via email to

[Prev in Thread] Current Thread [Next in Thread]