Re: cvs security - ssh vs pserver?
* Eric G. Miller (egm2@jps.net) spake thusly:
> On Tue, 27 Nov 2001 10:14:21 -0600
> Dimitri Maziuk <dmaziuk@yola.bmrb.wisc.edu> wrote:
> [snip]
> > Yes, pswerver sends everything in the clear and all that.
> > Edit /etc/shadow and set your cvsuser's password to NP
> > (or whatever Debian uses to disable logins). Let your
> > users download the *private* key of cvsuser. Set up cvsuser
> > account so that ssh logins can only run cvs.
>
> Don't you mean the *public* key? In fact, don't you want
> the server to have the public key of the user, and then that
> user has to use their private key and their passphrase to
> authenticate themselves to the CVS server via ssh? I'm on
> the user end of such a setup, and I don't have any key for
> the server but it does have my public key. Use ssh-agent
> to manage authentication/passphrase...
I meant what I said: private key. If you want joe to login
to cvsuser acct. via ssh with key-based auth., cvsuser must
have joe's public key in his authorized_keys[2] file.
One way of doing that is to add *a* public key to cvsuser's
authorized_keys, and to let joe download corresp. *private*
key (& use that to login).
Another way is to get joe's public key and add it to cvsuser's
authorized_keys.
We do the latter because we want to be able to cut people off
(by removing their key from authorized_keys). This way requires
a bit more administration, and is not truly anonymous.
The former method is anonymous (everyone uses the same key),
and is a bit less hassle: you don't have to collect users'
keys & add them to authorized_keys (that can be a PITA if
you have hundreds of users).
Dima
--
The wombat is a mixture of chalk and clay used for respiration. -- MegaHal
Reply to: