On 09/16/10 01:21, Hugo Osvaldo Barrera wrote: > On Wed, Sep 15, 2010 at 17:02, Joachim Schipper > <[email protected]> wrote: >> On Wed, Sep 15, 2010 at 01:38:45PM -0300, Hugo Osvaldo Barrera wrote: >>> On Wed, Sep 15, 2010 at 13:19, Joachim Schipper >>> <[email protected]> wrote: >>>> On Wed, Sep 15, 2010 at 12:34:48PM -0300, Hugo Osvaldo Barrera wrote: >>>>> I'm planning on having a few servers (including SVN) listening on >>>>> 127.0.0.1 on machine A, and then tunneling into that machine from >>>>> machine B to use those services. >>>>> >>>>> However, how safe is "lo" this sort of tunnel? B Is there a way for >>>>> other (non root) users of machine A to sniff what goes about though >>>>> "lo"? >>>>> >>>>> To make my question clearer: I know that the tunnel itself cannot >>>>> be read from outside, but my concern is the last piece of link; can >>>>> the loopback network interface be accessed by other users? B Is it >>>>> safe, in a shared environment, to transmit sensitive data though >>>>> it? >>>> >>>> Transmitting data over lo on a machine with other users does not expose >>>> you to any (new) attacks. >>> >>> I assume that by "new", you mean that I won't be opening any door that >>> where previously closed. >>> Thanks, this is good to know. B Looks like I'll be sleeping tonight. >>> >>>> >>>> Do note, however, that other users can likely access the service you run >>>> as well. >>> >>> Yes, I realize this, but some servers use very lousy plain-text >>> authentication. B There's no issue if it's though an ssh tunnel, but >>> you can understand my concern for not wanting to expose this to other >>> users on the server machine. >> >> I'm not completely sure that you understood this, so I'll make it more >> explicit just in case: other users on the same machine can connect to >> localhost:3690 (or wherever you are running Subversion). They *cannot* >> sniff your authentication data, but if you don't authenticate >> connections to Subversion they *can* read/modify your repository. > > Yes, I realized this, and I've set up svnserve to use it's internal > authentication mechanism before starting svnserve. > >> >> In the specific case of Subversion, it's easy enough to invoke it >> directly from SSH, too - no need to run a separate server. It's been a >> while since I set it up, but you should be able to find the information >> with Google. > > I know, I've used svn+ssh for some time. The issue is I have several > repositories, and several externals inside each. This has two > disadvantages: > 1) I need to set up a new ssh tunnel for each transaction. These > take a small while, but add up. > 2) For some reason, after several connections are opened, new one > don't open. They're NOT rejected, just no response from the server. > I can't even ssh into the machine from *this machine*, but I can from > a different one. I tried the MaxStartups and MaxSessions in > sshd_config, but that didn't help. > > Reason (2) is really lame, and I should have fixed that, but since > it's not the issue, I decided to give the single-tunnel idea.
Have you by any chance added some magic to pf.conf? > >> >> B B B B B B B B Joachim >> > > Thanks for the advice! :) > > -- > Hugo Osvaldo Barrera
