[EMAIL PROTECTED] on 2000.07.20 18:35:57
>I'm trying to decide between SSH and Kerberos. The developers like SSH, but
>our security team votes for Kerberos. I wanted to know if anyone could
>answer a couple of questions I have regarding CVS's interaction with them.
I don't know anything about Kerberos but the docs say something like, "If you
want real security, use Kerberos". Since we don't have a Kerberos
infrastructure here, and I don't have the time to fight for one, I prefer SSH.
>1) What SSH and Kerberos clients are there for Windows and Mac?
If you use Cygwin, you can get an OpenSSH implementation for the PC. Note,
however, that there may be some security holes due to its use of DLL's (eg
cygwin1.dll has some static state that other programs /may/ be able to change to
affect the SSH client). (You can even get an OpenSSH server on your PC (but
with some differences)).
>2) Do WinCVS and MacCVS* work with both?
I don't use either.
>3) I'm told you can use OpenSSH for free on a Unix box, but for Mac/PC you
>really
> have to go with a license from DataFellows. Then I'm told that there is
>a chance
> that the 2 won't necessarily talk together (something about SSH vs. SSH2?)
Like I said, you can get OpenSSH for the PC. I've heard OpenSSH can do both SSH
and SSH2 (by forwarding the SSH protocol to a SSH server?), but I haven't tried
this. I've also heard problems with OpenSSH interacting with other SSH products
(something about the format of the key files?).
>4) I have several repositories on my CVS server. I can control which users
>can
> access which repository by including them (or not) in that repository's
> CVSROOT/passwd file. With SSH and Kerberos, will I lose this control? I
>get
> the feeling that, once authenticated for the machine, you would have
>access to
> any of the repositories on that server. [I guess I could put different
>repositories on
> different machines.]
You can configure SSH such that the only command executable on the server is
"cvs server". I'm not sure if "cvs server" can accept a "-d" (ie "cvs -d
/my/cvsroot server"). If it can, this should solve your problem.
If this is overkill (eg you want them to have logins to the server) or the above
condition isn't met, manage the permissions in the repository. Turn other read
access off. Setgid on directories. Use filesystem ACL's if you must (if you
have them).
>Someone up my food chain has a bee in his bonnet about using SecurID or
>digital certificates of some kind. Has anyone looked into expanding CVS's
>security model to include such interfaces, or is it recomended to write your
>own and use CVS_RSH?
I know nothing about this.
>I've also heard about something called "SourceForge". CVS repositories on
>the Internet? Yow. Are there corporations out there that do that with their
>Crown Jewels, or is it mainly used by Open Source projects? I think I would
>swoon passing over the keys to our CVS server... ;)
Theoretically, SourceForge can be installed within your own network. I've tried
this a few months ago. I didn't succeed. Hopefully, they've gotten their act
together and it's easier to install (and more documented).
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
