On Wed, Sep 15, 2010 at 17:02, Joachim Schipper <[email protected]> wrote: > On Wed, Sep 15, 2010 at 01:38:45PM -0300, Hugo Osvaldo Barrera wrote: >> On Wed, Sep 15, 2010 at 13:19, Joachim Schipper >> <[email protected]> wrote: >> > On Wed, Sep 15, 2010 at 12:34:48PM -0300, Hugo Osvaldo Barrera wrote: >> >> I'm planning on having a few servers (including SVN) listening on >> >> 127.0.0.1 on machine A, and then tunneling into that machine from >> >> machine B to use those services. >> >> >> >> However, how safe is "lo" this sort of tunnel? B Is there a way for >> >> other (non root) users of machine A to sniff what goes about though >> >> "lo"? >> >> >> >> To make my question clearer: I know that the tunnel itself cannot >> >> be read from outside, but my concern is the last piece of link; can >> >> the loopback network interface be accessed by other users? B Is it >> >> safe, in a shared environment, to transmit sensitive data though >> >> it? >> > >> > Transmitting data over lo on a machine with other users does not expose >> > you to any (new) attacks. >> >> I assume that by "new", you mean that I won't be opening any door that >> where previously closed. >> Thanks, this is good to know. B Looks like I'll be sleeping tonight. >> >> > >> > Do note, however, that other users can likely access the service you run >> > as well. >> >> Yes, I realize this, but some servers use very lousy plain-text >> authentication. B There's no issue if it's though an ssh tunnel, but >> you can understand my concern for not wanting to expose this to other >> users on the server machine. > > I'm not completely sure that you understood this, so I'll make it more > explicit just in case: other users on the same machine can connect to > localhost:3690 (or wherever you are running Subversion). They *cannot* > sniff your authentication data, but if you don't authenticate > connections to Subversion they *can* read/modify your repository.
Yes, I realized this, and I've set up svnserve to use it's internal authentication mechanism before starting svnserve. > > In the specific case of Subversion, it's easy enough to invoke it > directly from SSH, too - no need to run a separate server. It's been a > while since I set it up, but you should be able to find the information > with Google. I know, I've used svn+ssh for some time. The issue is I have several repositories, and several externals inside each. This has two disadvantages: 1) I need to set up a new ssh tunnel for each transaction. These take a small while, but add up. 2) For some reason, after several connections are opened, new one don't open. They're NOT rejected, just no response from the server. I can't even ssh into the machine from *this machine*, but I can from a different one. I tried the MaxStartups and MaxSessions in sshd_config, but that didn't help. Reason (2) is really lame, and I should have fixed that, but since it's not the issue, I decided to give the single-tunnel idea. > > B B B B B B B B Joachim > Thanks for the advice! :) -- Hugo Osvaldo Barrera
