[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cvs] Re: Question on user repository restrictions

From: Jeremie Le Hen
Subject: Re: [cvs] Re: Question on user repository restrictions
Date: Fri, 30 Jun 2006 10:45:08 +0200
User-agent: Mutt/1.5.11


On Tue, Jun 27, 2006 at 03:27:12AM -0700, Mark D. Baushke wrote:
> > Which one is more secure? 
> The least secure is :pserver: as it keeps a copy of the user's password
> in a $HOME/.cvspass minimally encoded. On a shared system, or one that
> is able to sniff communications traffic, it will become quickly easy for
> a cheat to impersonate another user.
> The next least secure is :ext: with CVS_RSH=rsh (i.e., the berkeley
> rlogin/rsh system). It is farily easy to fool an rsh from a system
> where the user owns the 'root' login if it can be considered 'trusted'
> by the rlogin system, then anyone may impersonate anyone else.
> The next most secure is probably :ext: with the CVS_RSH=ssh (or, windows
> clients may use Putty instead of ssh as the transport) which is another
> way to specify the :extssh: protocol. This method very secure unless the
> users share systems and one or more of them is able to run as root on the
> shared system in which case all bets are off.
> The most secure is probably :gserver: which uses a
> ticket-granting-ticket from the KDC to authenticate the user.

I second this.  IMHO, :gserver: is a bit overkill to set for a programming
course.  :ext: with ssh is really simple of use.

If you don't want to provide full shell access onto the CVS server to you
students, you can use rssh [1].   It is then pretty easy to retrain the
usable commands to only cvs.  If you create one repository per student -
which is the most straightforward method - you could as well chroot each
user to its home directory where the repository stands.  Finally you just
have to drop a static cvs binary there (static, in order to avoid bothering
with shared libraries) and... voila !

I also think it would be worth setting up user quotas so that your
students cannot fill the disk up and prevent other one from working.

Best regards,

Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >

reply via email to

[Prev in Thread] Current Thread [Next in Thread]