[ On Tuesday, February 3, 2004 at 12:32:42 (-0800), Rick Genter wrote: ]
Subject: RE: CVS security question
It's probably more secure to set their shell to something that does
exist but won't function as a shell, like /dev/null or
/bin/false.
Well it depends on how obscure you make the fake
[ On Tuesday, February 3, 2004 at 13:05:57 (-0800), Pankaj Garg wrote: ]
Subject: Re: CVS security question
I wonder why do we not CVS has a server which run with SUID (Super User ID)
and only it can access repository.
Because CVS is not a security tool, nor is it security aware.
What you
I am a new user of CVS. I setup CVS server on my linux box. I want two users
to have check-in access to my repository and i want to use SSH. To use SSH i
need to make shell accounts for those two users. Now because these two users
have shell account and have write access to my repository, they can
Pankaj Garg wrote:
I am a new user of CVS. I setup CVS server on my linux box. I
want two users
to have check-in access to my repository and i want to use
SSH. To use SSH i
need to make shell accounts for those two users. Now because
these two users
have shell account and have write
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf
Of Pankaj Garg
Sent: Tuesday, February 03, 2004 10:59 AM
To: [EMAIL PROTECTED]
Subject: CVS security question
To use SSH i
need to make shell accounts for those two users. Now because
these two users
Pankaj Garg writes:
I am a new user of CVS. I setup CVS server on my linux box. I want two users
to have check-in access to my repository and i want to use SSH. To use SSH i
need to make shell accounts for those two users. Now because these two users
have shell account and have write access
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pankaj Garg [EMAIL PROTECTED] writes:
I am a new user of CVS. I setup CVS server on my linux box. I want two users
to have check-in access to my repository and i want to use SSH. To use SSH i
need to make shell accounts for those two users. Now
, February 03, 2004 10:59 AM
To: [EMAIL PROTECTED]
Subject: CVS security question
To use SSH i
need to make shell accounts for those two users. Now because
these two users
have shell account and have write access to my repository, they can
essentially login in my CVS server box and do an rm -fR
.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Mark Jaffe
Sent: Tuesday, February 03, 2004 3:26 PM
To: [EMAIL PROTECTED]
Subject: RE: CVS security question
You can prevent a user from logging in by setting the shell variable in the
/etc/password file
.
Whats stopping people from implementing this?
Thanks
Pankaj
From: Mark D. Baushke [EMAIL PROTECTED]
To: Pankaj Garg [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: Re: CVS security question
Date: Tue, 03 Feb 2004 09:10:49 -0800
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pankaj Garg [EMAIL
Classification: UNCLASSIFIED
-Original Message-
From: Pankaj Garg [mailto:[EMAIL PROTECTED]
SSH. To use SSH i
need to make shell accounts for those two users.
yes and no. if their repository permissions are the same then make a fake
shell user to represent the persons and then put
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pankaj Garg [EMAIL PROTECTED] writes:
I wonder why do we not CVS has a server which run with SUID (Super
User ID) and only it can access repository. Other users can login via
SSH, verify their credentials with our CVS Server and ask CVS Server
to
Password-protected keys help protect them against
theft. I would encourage everyone to use such keys.
Or did I misunderstand your post?
Are you talking about ssh-agent, or passphrase-based ssh keys, or an
external layer of encryption on the keyfiles, or what? Please be specific.
ssh-agent,
Zieg, Mark wrote:
My biggest problem with any of these approaches, besides the inconvenience,
is they eliminate the opportunity for secure, automated batch processes. I
have various cron jobs that fire off automatically, connect to different
servers, do reports/extracts/whatever, and so on. For
--- Zieg, Mark [EMAIL PROTECTED] wrote:
Password-protected keys help protect them against
theft. I would encourage everyone to use such
keys.
Or did I misunderstand your post?
Are you talking about ssh-agent, or passphrase-based
ssh keys, or an
external layer of encryption on the
One other problem with pserver is that passwords are
stored in the clear on the users' home directories.
At least with SSH, the keys can be encrypted using a
password that the user enters either upon login or on
a per-use basis.
Noel
--- Steven Tryon [EMAIL PROTECTED] wrote:
We run pserver on a
One other problem with pserver is that passwords are
stored in the clear on the users' home directories.
At least with SSH, the keys can be encrypted using a
password that the user enters either upon login or on
a per-use basis.
Actually, if you setup your ssh keys correctly (ssh-keygen -t
Steven Tryon wrote:
On Thu, 2002-12-12 at 10:51, Phil R Lawrence wrote:
I saw in the docs how to set up pserver and how it can
manage read-write permissions. But I won't run a server
without encryption.
We run pserver on a machine behind a firewall and access with redirected
ports with ssh.
--- Zieg, Mark [EMAIL PROTECTED] wrote:
One other problem with pserver is that passwords
are
stored in the clear on the users' home
directories.
At least with SSH, the keys can be encrypted using
a
password that the user enters either upon login or
on
a per-use basis.
Actually,
OK, I've settled on either importing our entire ERP source with -kb or
writing a script to traverse the sourcetree and check in the files
intelligently as either binary or text. (anyone already have a script
that does this?)
Now, about security. We would be a multi-client shop, so I need SSH
--- Phil R Lawrence [EMAIL PROTECTED] wrote:
OK, I've settled on either importing our entire ERP
source with -kb or
writing a script to traverse the sourcetree and
check in the files
intelligently as either binary or text. (anyone
already have a script
that does this?)
Now, about
Phil R Lawrence writes:
I saw in the docs how to set up pserver and how it can manage read-write
permissions. But I won't run a server without encryption.
How can I have SSH *and* locked down projects *and* locked down CVSROOT dir?
Forget pserver, use SSH with individual system accounts.
At 10:51 AM 12/12/2002, Phil R Lawrence wrote:
Now, about security. We would be a multi-client shop, so I need SSH to
encrypt sign-on info. Also, to make auditors very happy, we need to grant
and deny write security to various projects in the repository.
We are a multi-client shop, too. We
Phil R Lawrence wrote:
How can I have SSH *and* locked down projects *and* locked down CVSROOT
dir?
Security is very important.
I had actually planned to make CVS available via the web to some people,
so I tried to find a secure way of doing so. Instead of using pserver, I
followed
the
PS - are there any windows and linux clients that particularly shine
with SSH?
TortoiseCVS on Windows (http://www.tortoisecvs.org/) works very well
with ssh. They distribute a customized version of plink from the PuTTy
suite.
HTH
Geoff
___
We run pserver on a machine behind a firewall and access with redirected
ports with ssh.
Someone posted on this list a cookbook ssh command to do so...
ssh [EMAIL PROTECTED] -L 2401:host.whatever.com:2401
Then set your CVSROOT to point to localhost.
Works.
Steve
On Thu, 2002-12-12 at
26 matches
Mail list logo