>From: [EMAIL PROTECTED]
>X-eGroups-Return: [EMAIL PROTECTED]
>Date: Thu, 15 Jun 2000 13:15:06 -0000
>To: [EMAIL PROTECTED]
>Subject: CVS through a firewall with SSH
>User-Agent: eGroups-EW/0.82
>X-Mailing-List: <[EMAIL PROTECTED]> archive/latest/18027
>
>I discovered a way to get through a firewall with CVS. I doubt this
is
>anything new, but I thought it might be interesting to some people
out
>there. The basic idea is to use ssh tunnels from a gateway machine
>
>Requirements:
>0. A gateway machine that you can telnet/ssh to that has access to
>machines both inside and outside the firewall. This machine needs to
>have ssh installed.
>
>1. The cvs repository needs to be set up as a password server. You
>may worry about security, but as a side effect of this method, your
>password is encrypted when you send it to the server.
>
>2. The repository machine and the working machine must both be
running
>ssh daemons.
>
>How do it:
>1. Open 2 telnet sessions to the gateway machine (call it gw).
>
>2. In one do:
>ssh -l <REPUSER> -L <PORT>:localhost:2401 <REPMACHINE>
>where <REPUSER> is your account name on <REPMACHINE>, which is where
>the CVS repository lives. You will have to enter your password for
the
>account on the <REPMACHINE> (which may or may not be the same as your
>CVS password). <PORT> is any user port (like 6000 or 2401)
>
>3. In the other do:
>ssh -l <USER> -R 2401:localhost:<PORT> <MACHINE>
>where <USER> is your account name on <MACHINE>, the machine where you
>want to work. <PORT> is the same port number you gave above.
>
>4. Login to the server (do this on the working machine)
>cvs -d :pserver:<CVSUSER>@localhost:<REPPATH> login
>You will be prompted for your CVS password.
>
>5. Checkout sources
>cvs -d :pserver:<CVSUSER>@localhost:<REPPATH> checkout <MODULE>
>where <CVSUSER> is your cvs user name, <REPPATH> is the path to the
>repository, and <MODULE> is the module you want to check out.
>
>5. After checkout, you can use regular cvs commands (without the -d)
> while you are in your working directories.
>
>
>The bad part of this is that you have to take over a port on the
>gateway machine, so this won't scale to lots of users. It's useful as
>a way to get around the firwall without having to deal with sysadmins
>:-)
>
>Also, if anyone sees any security concerns with this, let me know.
>
I did something similar about a year ago. The main security concern
is that there is an open CVS port on localhost which anyone can
connect to. If you are running an open source project this is not so
much of a concern but we are developing proprietary software and this
was not a reasonable solution for us.
--
Stephen Rasku E-mail: [EMAIL PROTECTED]
Senior Software Engineer Phone: (604) 872-6676
TGI Technologies Web: http://www.tgivan.com/
