[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cvs security - ssh vs pserver?

martin f krafft wrote:
> * Craig Dickson <crdic@yahoo.com> [2001.11.27 10:28:10-0800]:
> > But getting access to your CVS is okay? Might as well not bother securing
> > it at all, then.
> 
> uhm, hello? yes, it is necessary. with ssh, only those with the
> identity file can get access to the cvs. without cvs, anyone willing
> to password sniff can get access...

That was my point. If he's going to allow passwords to cross the net in
clear, then having passwords isn't really securing anything. Accessing
cvs in an ssh tunnel is the way to go.

What Peter had said, that I was replying to, was that he didn't mind
passwords going in clear as long as it was only cvs passwords, not shell
login passwords. So my reaction was, if you're so unconcerned about cvs
access, why bother putting passwords on it at all? The real point being
not that it's okay to let the whole world have full access to your cvs,
but that passwords should always be encrypted on the wire.

Craig
Reply to: