One of the more common ways is with SSH, but I don't know how to do this
with an NT server.
On unix server (solaris/linux/etc -- clients can be whatever) you would do
the following:
1. setup CVS server with pserver active, set your hosts.allow to only accept
incoming SSH connections (port 22) (you MUST block remote port 2401 access)
2. setup SSHD on the server with port forwarding allowed
3. setup local machine with
CVSROOT=:pserver:<server_username>@localhost:<path_on_server>
4. enable SSH tunneling in your SSH client and port forwarding for this
mapping:
localhost:2401 -> server:2401
5. SSH login into the CVS server
6. while SSH'd into local server, run the CVS commands locally. Your SSH
client program will intercept requests to port 2401, and forward them
through the encrypted tunnel to the CVS server. Data coming back will also
be on this TCP socket, and therefore encrypted.
Advantages of this method:
1. Works just as well for truly remote machines as for local machines
2. With a different hosts.allow, you can enable standard :pserver: for, say,
machines on your subnet without hurting sitewide security too much (given
the clients are all secure)
3. The encryption has been proven in practice to be quite secure... SSH/SSL,
with the exception of the buffer overflow found a month ago and the known
password sending problems in SSH versions <1.5, is trusted by BSD and many
other groups known for their attention to security.
4. Requires SSH login validation before any CVS commands can be performed,
and SSH2 I believe is designed to defeat man-in-the-middle type attacks.
Disadvantages of this method:
1. You must log in with SSH before you can use CVS, therefore you must have
at least semi-functional accounts on said server, which is potentially a
security risk if a local exploit is discovered in the OS.
2. Requires an SSH client. There are free ones available (PuTTY does SSH2,
TeraTermPro/SSH only does SSH1), but many are commercial implementations.
(They often come with X servers like Hummingbird eXceed)
--eric
> -----Original Message-----
> From: Mike Shoemaker [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 26, 2002 11:26 AM
> To: [EMAIL PROTECTED]
> Subject: [Cvsnt] PServer Security
>
>
> Anyway to make pserver more secure over the internet?
>
>
>
>
> _______________________________________________
> Cvsnt mailing list
> [EMAIL PROTECTED]
> http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
>
_______________________________________________
Cvsnt mailing list
[EMAIL PROTECTED]
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
