Gregory Propf wrote:
>
> I'm new to the list. My name is Gregory Propf and I'm a programmer in
> Florida, USA. I'm trying to coordinate programming efforts across
> multiple developers who write code offsite. I would like to use cvs but
> am concerned about security. I've played around with Kerberos but can't
> get it working. Mainly, what I would like is just to have cvs talk over
> a secure socket so that usernames and passwords are encrypted. Is there
> a way to do this? I have used ssh to do port forwarding for cvs but the
> result is a kludge.
>
> --
> With every passing hour our solar system comes forty-three thousand
> miles closer to globular cluster M13 in the constellation Hercules, and
> still there are some misfits who continue to insist that there is no
> such thing as progress.
> -- Ransom K. Ferm
I am just trying to set up a similar cvs server, which still has some
more experiments. My plan is this:
o run cvs under chrooted environment,
o give user ssh and kserver access, chrooted, no password, no
interactive shell.
To date, it looks to work in the following manner.
For ssh, users are authenticated with only RSA (i.e., no password),
sshd is run from inetd with option -iq. I am not planning to allow
any port forwarding. The users are allowed to, other than cvs tree,
modify their own authorized_keys files directly (in other words, it's
hard to stop this, due to the nature of ssh).
For kerberos, there is a problem with krb_kntoln: it does not understand
cross realm issue, so doesn't successfully map remote principal name to
the local one. I wrote a small mapping program to work around this problem.
If your plan is to use gserver, the problem you encountered can be very
much the same sort.
Aside this, the user need not be registered to database (of course KDC does
need registration), nor authenticated with password (just the authentication
on remote realm is enough).
Users cannot use interactive commands, simply because /dev/pty* are missing
under chrooted environment.
HTH,
horio shoichi
- CVS security Gregory Propf
- Re: CVS security Mitch Davis
- Re: unsubscribe Dave Lemmons
- Re: CVS security Sean Cavanaugh
- Re: CVS security Brian Huddleston
- Re: CVS security Tobias Weingartner
- Re: CVS security Brian Huddleston
- Re: CVS security Tobias Weingartner
- Re: CVS security Ken Raeburn
- Re: CVS security horio shoichi
- Re: CVS security Mitch Davis
- Re: CVS security horio shoichi
- CVS security HMahaffey
- Re: CVS security Greg A. Woods
- Re: CVS security Steven M . Cherry
- Re: CVS security Mike Castle
- Re: CVS security Stephane Bortzmeyer
- Re: CVS security Hauke Fath
- Re: CVS security Hauke Fath
- Re: CVS security Noel L Yap
