On Friday, March 1, 2002, at 08:09 PM, Greg A. Woods wrote:
> [ On Saturday, March 2, 2002 at 00:10:21 (+0300), Leonid Krutyansky
> wrote: ]
>> Subject: secure CVS connection
>>
>>
>> I need to arrange a secure access to a CVS-server through
>> Internet-firewall with a Windows-based graphic client.
>> Am I right that Unix-based server and SSH protocol is the only
>> realistic possibility? Is there any CVS client for Windows that
>> support Kerberos?
CVSNT works with gserver (Kerberos, currently), the newest version of
WinCVS should work too (1.3b6). I run a Solaris CVS-gserver behind a
Linksys NAT router at home and cvsnt clients come from some remote
corners of the world, on platforms like Solaris, Linux, W2K/XP, MacOS X.
One Windows client actually comes from behind another Linksys router.
KDC is a real pain to setup/administrate, so unless you can do KDC
half-asleep, or you have large number of users that come and go, you'd
better off kick it off with SSH -- a lot easier to get going.
However, KDC setup/administration can be "sloppily" simplified if you
put up a packet filtering router like a Linksys so that only Kerberos
traffics can go through, i.e. rely on the hardware packet filtering to
fend off attacks instead of hardening the KDC machine. Again, this is
SLOPPY! But it works for small setups where the real hard work for
setup/administrating KDC (hardening and constant monitoring) does not
justify what's gained.
>
> Kerberos is only an authentication and authorisation protocol. While it
> can also be used to share keys that could be used for transport
> encryption, CVS does not use it for that purpose.
Eh? What's the following function doing in src/server.c, if "CVS does
not use it for that purpose"? I assume this function sets up the
encryption with a client, according the the comments in the function.
Unless this setup does not work for GSSAPI wrapping, otherwise the
communication between client and server is encrypted.
#ifdef HAVE_GSSAPI
static void
serve_gssapi_encrypt (arg)
char *arg;
{
if (cvs_gssapi_wrapping)
{
/* We're already using a gssapi_wrap buffer for stream
authentication. Flush everything we've output so far, and
turn on encryption for future data. On the input side, we
should only have unwrapped as far as the Gssapi-encrypt
command, so future unwrapping will become encrypted. */
buf_flush (buf_to_net, 1);
cvs_gssapi_encrypt = 1;
return;
}
/* All future communication with the client will be encrypted. */
cvs_gssapi_encrypt = 1;
buf_to_net = cvs_gssapi_wrap_buffer_initialize (buf_to_net, 0,
gcontext,
buf_to_net->memory_error);
buf_from_net = cvs_gssapi_wrap_buffer_initialize (buf_from_net, 1,
gcontext,
buf_from_net->memory_error);
cvs_gssapi_wrapping = 1;
}
#endif /* HAVE_GSSAPI */
Jonah Tsai
_______________________________________________
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
