Re: cvs security - ssh vs pserver?

To: Debian user mailing list <debian-user@lists.debian.org>
Subject: Re: cvs security - ssh vs pserver?
From: Andrew Agno <agno@AI.SRI.COM>
Date: Tue, 27 Nov 2001 10:26:03 -0800 (PST)
Message-id: <[🔎] 15363.55995.416987.688840@Ipanema.AI.SRI.COM>
In-reply-to: <[🔎] 20011127100856.B12312@dirac.org>
References: <[🔎] 20011127015150.A3681@dirac.org> <[🔎] 20011127130013.A2999@kitenet.net> <[🔎] 20011127100856.B12312@dirac.org>

Peter Jay Salzman writes:
 > begin: Joey Hess <joey@kitenet.net> quote
 > > Peter Jay Salzman wrote:
 > > Read http://kitenet.net/programs/sshcvs
 > > 
 > > It uses plain-text passwords, which is pretty insecure, yes.
 >  
 > joey, i have no problem with plain text passwords.
 > 
 > just as long as they can't get _shell access_ with that password.

As long as you have, in the authorized_keys file (it could be
authorized_keys2 for older versions of ssh) for your anonymous cvs
user, right before the key, something like
command="/usr/bin/cvs server",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty 

you should be okay.  This would amount to no shell access, and no
ability to forward ports or anything like that, and the only allowed
command would be to run cvs.  The only difference between the line
above and the line given in kitenet.net is the no-pty option, which
should probably be in there.

Andrew.

Reply to:

References:
- cvs security - ssh vs pserver?
  - From: Peter Jay Salzman <p@dirac.org>
- Re: cvs security - ssh vs pserver?
  - From: Joey Hess <joey@kitenet.net>
- Re: cvs security - ssh vs pserver?
  - From: Peter Jay Salzman <p@dirac.org>

Prev by Date: Re: cvs and security
Next by Date: Re: cvs security - ssh vs pserver?
Previous by thread: Re: cvs security - ssh vs pserver?
Next by thread: Re: cvs security - ssh vs pserver?
Index(es):
- Date
- Thread