Re: Security concern CVSROOT

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security concern CVSROOT

From:	Derek R. Price
Subject:	Re: Security concern CVSROOT
Date:	Sat, 28 Oct 2000 02:16:42 -0400

Martin Vogt wrote:

> 1. Authorisation
> ----------------
>
> The authoriatsion mechanism. Currently the client sends
> cvsroot,username,password
> in one single command.
>
> If a setuid wrapper, like cvsauth gets such a request,
> the user sends his clear text password if he accidently
> type :pserver insteas of :sslserver

Well, if you're daring enough to grab the dev version you can redirect
the port CVS is accessing, so localhost:33333 or something is unlikely
to send cleartext passwords anywhere unless you have your tunnel up.

Alternately, you could only allow ssh access (using :ext: and setting
CVS_RSH=ssh), then you don't have to trust the user not to try and use
pserver, but you have to allow the user an ssh shell on the server.

Derek

--
Derek Price                      CVS Solutions Architect ( http://CVSHome.org )
mailto:address@hidden     OpenAvenue ( http://OpenAvenue.com )
--
Information is the currency of democracy.

                        - Thomas Jefferson

[Prev in Thread]

Current Thread

[Next in Thread]

Security concern CVSROOT, Martin Vogt, 2000/10/25
- Re: Security concern CVSROOT, Larry Jones, 2000/10/25
- Re: Security concern CVSROOT, Derek R. Price <=
- Re: Security concern CVSROOT, Noel L Yap, 2000/10/25
  - Re: Security concern CVSROOT, Dale Miller, 2000/10/25

Prev by Date: Better Keyword than $Header$ and $Id$
Next by Date: Re: checkout vs. update
Previous by thread: Re: Security concern CVSROOT
Next by thread: Re: Security concern CVSROOT
Index(es):
- Date
- Thread