Re: secure CVS connection

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: secure CVS connection

From:	Jonah Tsai
Subject:	Re: secure CVS connection
Date:	Sat, 2 Mar 2002 16:07:55 -0500

On Friday, March 1, 2002, at 08:09  PM, Greg A. Woods wrote:

[ On Saturday, March 2, 2002 at 00:10:21 (+0300), Leonid Krutyanskywrote: ]
Subject: secure CVS connection


I need to arrange a secure access to a CVS-server  through
Internet-firewall with a Windows-based graphic client.
Am  I right that Unix-based server and SSH protocol is the only
realistic possibility? Is there any CVS client for Windows thatsupport Kerberos?

CVSNT works with gserver (Kerberos, currently), the newest version ofWinCVS should work too (1.3b6). I run a Solaris CVS-gserver behind aLinksys NAT router at home and cvsnt clients come from some remotecorners of the world, on platforms like Solaris, Linux, W2K/XP, MacOS X.One Windows client actually comes from behind another Linksys router.

KDC is a real pain to setup/administrate, so unless you can do KDChalf-asleep, or you have large number of users that come and go, you'dbetter off kick it off with SSH -- a lot easier to get going.

However, KDC setup/administration can be "sloppily" simplified if youput up a packet filtering router like a Linksys so that only Kerberostraffics can go through, i.e. rely on the hardware packet filtering tofend off attacks instead of hardening the KDC machine. Again, this isSLOPPY! But it works for small setups where the real hard work forsetup/administrating KDC (hardening and constant monitoring) does notjustify what's gained.


Kerberos is only an authentication and authorisation protocol.  While it
can also be used to share keys that could be used for transport
encryption, CVS does not use it for that purpose.

Eh? What's the following function doing in src/server.c, if "CVS doesnot use it for that purpose"? I assume this function sets up theencryption with a client, according the the comments in the function.Unless this setup does not work for GSSAPI wrapping, otherwise thecommunication between client and server is encrypted.



#ifdef HAVE_GSSAPI

static void
serve_gssapi_encrypt (arg)
     char *arg;
{
    if (cvs_gssapi_wrapping)
    {
        /* We're already using a gssapi_wrap buffer for stream
           authentication.  Flush everything we've output so far, and
           turn on encryption for future data.  On the input side, we
           should only have unwrapped as far as the Gssapi-encrypt
           command, so future unwrapping will become encrypted.  */
        buf_flush (buf_to_net, 1);
        cvs_gssapi_encrypt = 1;
        return;
    }

    /* All future communication with the client will be encrypted.  */
    cvs_gssapi_encrypt = 1;

    buf_to_net = cvs_gssapi_wrap_buffer_initialize (buf_to_net, 0,
                                                    gcontext,

buf_to_net->memory_error);

    buf_from_net = cvs_gssapi_wrap_buffer_initialize (buf_from_net, 1,
                                                      gcontext,

buf_from_net->memory_error);


    cvs_gssapi_wrapping = 1;
}

#endif /* HAVE_GSSAPI */




Jonah Tsai

[Prev in Thread]

Current Thread

[Next in Thread]

secure CVS connection, Leonid Krutyansky, 2002/03/01
- Re: secure CVS connection, Dustin Cavanaugh, 2002/03/01
- Re: secure CVS connection, Greg A. Woods, 2002/03/01
- Re: secure CVS connection, James Knowles, 2002/03/02
- Re: secure CVS connection, Jonah Tsai <=
  - Re: secure CVS connection, Greg A. Woods, 2002/03/02

Prev by Date: Re: spam on this list
Next by Date: what did you do, quit your job ? 34l2
Previous by thread: Re: secure CVS connection
Next by thread: Re: secure CVS connection
Index(es):
- Date
- Thread