Re: CVS server access

[Mark D. Baushke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Smith <address@hidden> writes:

> I recently configured my CVS server (Fedora Core 4) with ssh access
> using public/private keys and with password authentication disabled.
> 
> I am able to access the server in one of two ways:
> 
> (1) ssh access
> 
> CVSROOT=:ext:<username>@SessionFileName:CVSRootLocation
> So, for every CVS command, there is a ssh authetication.
> 
> (2) pserver tunneled through ssh
> 
> CVSROOT=:pserver:<username>@localhost:CVSRootLocation
> For this, I am transfering the pserver port to my local machine using the
> method described here
> http://www.se.rit.edu/se-pserver-over-ssh-howto/pserver-ssh-howto.html
> So, there is only one ssh authentication and pserver is tunneled through 
> ssh.
> My cvspserver service uses system authentication (so, I do not have a
> password file in cvsroot).
> 
> Question: is there an overwhelming reason to use one over the other?

There are many good reasons to avoid :pserver: and very few good reasons
to use it. Search the address@hidden archives

  http://lists.gnu.org/pipermail/info-cvs

for many posts on the subject.

> My thoughts are that (1) is more secure but more resource intensive
> (on the server).

It is more secure. It is not clear that it is that much more resource
intensive on the server.

> With (2) I am running the risk of sending a clear text password
> through the tunnel (is that correct?).

Well, it is trivially encoded, so you can't say that it is literally a
'clear text password'. However, the password is encoded in a completely
reversable manner, so it is close enough to being clear text as to not
really matter.

> Your opinion?

I recommend (1).

        -- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFC2fruCg7APGsDnFERAoC3AJsE3x8soyqeVA8B8dRYet+ySQZhegCgqMh2
Uxk5HJbFTQS6jtG13epYoq4=
=zjgQ
-----END PGP SIGNATURE-----