> From: "Colin Bester" <[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]>
> To: "'CVS-II Discussion Mailing List'" <[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]>
> Subject: RE: Remote cvs and security
> Date: Mon, 10 Sep 2001 19:37:23 -0500
> Organization: AIONET Inc
>
> Greg, I would like to know what alternatives you are referring to.
The alternative, although it might not be what Greg is refering to, is
GSSAPI (aka. gserver in CVS). For the time being, GSSAPI supports only
Kerberos (although SUN's implementation does have Diffe-Hellman...). All
passwords are sent encrypted, with optional encrypted content. Note that
gserver is natively supported by CVS. However, I cannot find any
binaries pre-compiled with GSSAPI. You have to compile it yourself.
If you don't want to go through the trouble of setting up Kerberos, then
go for SSH, like almost everybody does.
>
>
> The way I understand it is that all passwords used between client and
> pserver are sent in clear text and as such irrespective of what you do,
> it would be very easy to listen in on these and gain access to the
> software files.
>
> While cvs might have been designed for free source development and some
> of us even agree with it, we don't always have this freedom of choice
> and need to protect our data.
>
> I am pretty new to these aspects as I have always worked in a closed and
> 'safe' environment and now find myself at the other end of the spectrum.
>
>
> I would really appreciate some comments on what the correct steps would
> be to secure this link.
Quick and dirty -- SSH, up in 10 minutes.
Spend a lot of time and have loads of fun (or pain) -- Kerberos (gserver).
Anything TCP can be tunnel'd (or port-forward in SSH terminology)
through SSH. Lucky that CVS uses TCP. It works, but it's somehow
hackish, because SSH is a peer-to-peer authentication/encryption
mechanism such that management is on per host basis. Kerberos is a
centralized authentication mechanism. Both have their advantages and
disadvantages, pick whatever suites your needs.
One dumb rule of thumb -- if you only have a handful of users, go SSH
because the pain Kerberos causes ain't worth it; if you have a lot of
usres, in the order of hundreds, go Kerberos. Anything in between, take
your favorite, most likely your boss won't know the difference as long
as your argument is logical and convincing.
If you are paranoid about security, forget about pserver...
Jonah Tsai
>> <mailto:[EMAIL PROTECTED]>
>
_______________________________________________
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
