Greetings!
I've been tasked with improving the security of the access to our CVS
repository. [Cracker attacks will do this to managers... ;) ] We
currently use pserver, and have developed scripts which allow users to
request access to repositories via email to the owners, and then
automatically update each repository's CVSROOT/passwd file if approved. Not
great, but it works ok. Sure wish there was a "cvs passwd" command... ;)
I'm trying to decide between SSH and Kerberos. The developers like SSH, but
our security team votes for Kerberos. I wanted to know if anyone could
answer a couple of questions I have regarding CVS's interaction with them.
1) What SSH and Kerberos clients are there for Windows and Mac?
2) Do WinCVS and MacCVS* work with both?
3) I'm told you can use OpenSSH for free on a Unix box, but for Mac/PC you
really
have to go with a license from DataFellows. Then I'm told that there is
a chance
that the 2 won't necessarily talk together (something about SSH vs. SSH2?)
4) I have several repositories on my CVS server. I can control which users
can
access which repository by including them (or not) in that repository's
CVSROOT/passwd file. With SSH and Kerberos, will I lose this control? I
get
the feeling that, once authenticated for the machine, you would have
access to
any of the repositories on that server. [I guess I could put different
repositories on
different machines.]
Someone up my food chain has a bee in his bonnet about using SecurID or
digital certificates of some kind. Has anyone looked into expanding CVS's
security model to include such interfaces, or is it recomended to write your
own and use CVS_RSH?
I've also heard about something called "SourceForge". CVS repositories on
the Internet? Yow. Are there corporations out there that do that with their
Crown Jewels, or is it mainly used by Open Source projects? I think I would
swoon passing over the keys to our CVS server... ;)
Thanks in advance!
:)hal mahaffey
