|
From: | Julian Opificius |
Subject: | Re: Problem with admin privileges |
Date: | Tue, 05 Jul 2005 15:49:30 -0500 |
User-agent: | Mozilla Thunderbird 1.0.2 (Windows/20050317) |
Todd Denniston wrote:
How does a hole in pserver reduce security? Is ssh protecting me or not? I realize that all security is additive, but pserver would seem to be no more than paint on the wall of ssh, meaning that if ssh goes down, pserver won't help, but then again it won't hinder either.Big question: What do you think using :pserver: at this point, gain you andyour users over just :ext: over ssh?Because they already have (and will continue to have) valid system shell login, from here it only looks like more admin trouble to setup and maintain pserver, plus it probably reduces the authentication or authorization you had from the ssh and system level, especially when a new pserver hole comes out.
I have solved most of my admin problem by running admin users as their themselves using $CVSROOT/CVSROOT/passwd entries like this: "username:password" rather than as the global cvs user: "username:password:cvs"<SNIP> Why use the $CVSROOT/CVSROOT/passwd at all, just use the system authentication fallback, it SHOULD make your life easier because only the system level auth files need scrubbed when someone leaves not the system level AND all the cvs repos.
The only reason I am using pserver is that it allows my users to have CVAS controlled access to the respositories without giving them dierct write access to them. If you can suggest another way of doing that, I'd be glad to use it.
From a security perspective, my understanding is that ssh gives me adequate protection from invasion from the outside world, (ssh is the only port mapped through NAT to the server) and I have not yet identified a need to protect my data from malicious intent from inside, so I'm not really sure what the risks of pserver over ssh really are.
As a final disclaimer: I'm an embedded software engineering manager, not a network guru, and the network is a means to an end, not a reason to live, so if I'm missing something, please feel free to snicker and roll your eyes - as long as you then enlighten me as to what I "should" be doing ;-)
Cheers! julian.
[Prev in Thread] | Current Thread | [Next in Thread] |