[ On Friday, June 11, 1999 at 22:04:01 (-0700), [EMAIL PROTECTED] wrote: ]
> Subject: Re: CVS and SSH?
>
> On Fri, 11 Jun 1999 14:24:44 -0700
> Bradford Hull <[EMAIL PROTECTED]> wrote:
>
> > All right, I'll bite. What exactly is it about using ssh to give
> > cvs connection that is insecure? You can control which users are
> > able to access the repository, because you only allow the ones you
> > want to set up authorization to connect to your system with ssh;
> > and all data is transferred with encryption and good
> > authentication. This is more secure than any other way of giving
> > people access to a code base than any other method I have ever
> > heard of.
>
> It is not secure to the extent that CVS'es pserver is not secure.
I think you're confusing the issues here. CVS' pserver access method
has nothing to do with using SSH to access a CVS repository. With SSH
(or RSH for that matter) CVS runs as the authenticated and authorised
user and in that sense is totally secure (it can offer no means of
changing or enhancing the user's privileges).
> It is effectively tantamount to granting those users shell access to
> the server with a reasonable probability that they may be able to
> exploit that shell access into root access (given that pserver runs
> as root and was not designed or built with security in mind).
You really shouldn't be running a CVS repository on any machine where
you don't want the CVS users to have full shell access. You're sort of
right: *CVS* was not designed with that *kind* of security in mind.
> > Is there a hole I don't see, or a better method available?
>
> As I mentioned previously, we're very happy with BitKeeper. Yes,
> you're still granting shell access to the host containing the source
> repositories, but you have the advantage that there are no server
> daemons running as root or other proviledged users.
Checking authentication and granting authorisation requires some sort of
enhanced privilege. On unix there is truly only one level of enhanced
privilege: superuser. SSH is a well accepted method of providing
secure authorised access to a server.
Although I don't believe the CVS pserver daemon code has been subjected
to quite as rigorous analysis as the SSH code has been, it is somewhat
smaller and simpler (and thus possibly easier to analyse) and avoids the
export issues of crypto code, so may be more suitable for some
applications. Unfortunately it's implemented as an integrated part of
the entire CVS server, something that certainly complicates the issue.
The one major advantage of pserver is that it allows minimal and simple
authentication of "anonymous" users -- i.e. users who don't have shell
accounts. One could just as easily use a hacked version of sshd or even
rshd to read a separate password file and to invoke only CVS. Neither
of these methods are guaranteed to prevent someone from cracking shell
access on the repository machine, due to the nature of CVS. I would
always recommend running a truly anonymous CVS server on an isolated
single-purpose machine that has a regularly updated copy of the main
repository.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
