Hello, On Tue, Jun 27, 2006 at 03:27:12AM -0700, Mark D. Baushke wrote: > > Which one is more secure? > > The least secure is :pserver: as it keeps a copy of the user's password > in a $HOME/.cvspass minimally encoded. On a shared system, or one that > is able to sniff communications traffic, it will become quickly easy for > a cheat to impersonate another user. > > The next least secure is :ext: with CVS_RSH=rsh (i.e., the berkeley > rlogin/rsh system). It is farily easy to fool an rsh from a system > where the user owns the 'root' login if it can be considered 'trusted' > by the rlogin system, then anyone may impersonate anyone else. > > The next most secure is probably :ext: with the CVS_RSH=ssh (or, windows > clients may use Putty instead of ssh as the transport) which is another > way to specify the :extssh: protocol. This method very secure unless the > users share systems and one or more of them is able to run as root on the > shared system in which case all bets are off. > > The most secure is probably :gserver: which uses a > ticket-granting-ticket from the KDC to authenticate the user.
I second this. IMHO, :gserver: is a bit overkill to set for a programming course. :ext: with ssh is really simple of use. If you don't want to provide full shell access onto the CVS server to you students, you can use rssh [1]. It is then pretty easy to retrain the usable commands to only cvs. If you create one repository per student - which is the most straightforward method - you could as well chroot each user to its home directory where the repository stands. Finally you just have to drop a static cvs binary there (static, in order to avoid bothering with shared libraries) and... voila ! I also think it would be worth setting up user quotas so that your students cannot fill the disk up and prevent other one from working. Best regards, [1] http://www.pizzashack.org/rssh/index.shtml -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > _______________________________________________ info-cvs mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/info-cvs
