Re: cvs security - ssh vs pserver?

To: debian-user@lists.debian.org
Cc: Dave Sherohman <esper@sherohman.org>, "Eric G. Miller" <egm2@jps.net>
Subject: Re: cvs security - ssh vs pserver?
From: Dimitri Maziuk <dmaziuk@yola.bmrb.wisc.edu>
Date: Thu, 29 Nov 2001 14:54:20 -0600
Message-id: <[🔎] 20011129145420.A10823@bmrb.wisc.edu>
Mail-followup-to: debian-user@lists.debian.org, Dave Sherohman <esper@sherohman.org>, "Eric G. Miller" <egm2@jps.net>
Reply-to: dmaziuk@yola.bmrb.wisc.edu
In-reply-to: <[🔎] 20011129113824.A12743@harmony.cs.rit.edu>
References: <[🔎] 20011127015150.A3681@dirac.org> <[🔎] 20011127101421.A6350@bmrb.wisc.edu> <[🔎] 20011127194123.4ea8f109.egm2@jps.net> <[🔎] 20011128115851.C24003@fishbowl.madduck.net> <[🔎] 20011128104402.B8135@bmrb.wisc.edu> <[🔎] 20011129040953.B26177@fishbowl.madduck.net> <[🔎] 20011129094717.B26725@sherohman.org> <[🔎] 20011129113824.A12743@harmony.cs.rit.edu>

* dman (dsh8290@rit.edu) spake thusly:
...
> What is insecure about pserver, if you have anonymous access?  

To quote TFCVSM, "once a user has non-read-only access to 
repository, she can execute programs on the server system 
through  a variety of means." Read section 2.9.3.3 -- 
"Security considerations with password authentication" and 
weep. 

So, if you are going to provide anonymous cvs (& I've no idea
if OP wants that), you don't want pserver. 

If you're paranoid enough, you'll also want to hide CVSROOT
from anonymous lusers, disable write access to cvs repository
(you need to write lock files etc. someplace else), and put 
the whole mess in a chroot jail on a dedicated swerver in the 
DMZ. This is besides the point though. The point is that I 
simply mentioned Joey's method as one of the options.

Dima (http://kitenet.net/programs/sshcvs/)
-- 
We're sysadmins. Sanity happens to other people.                  -- Chris King

Reply to:

References:
- cvs security - ssh vs pserver?
  - From: Peter Jay Salzman <p@dirac.org>
- Re: cvs security - ssh vs pserver?
  - From: Dimitri Maziuk <dmaziuk@yola.bmrb.wisc.edu>
- Re: cvs security - ssh vs pserver?
  - From: "Eric G. Miller" <egm2@jps.net>
- Re: cvs security - ssh vs pserver?
  - From: martin f krafft <madduck@madduck.net>
- Re: cvs security - ssh vs pserver?
  - From: Dimitri Maziuk <dmaziuk@yola.bmrb.wisc.edu>
- Re: cvs security - ssh vs pserver?
  - From: martin f krafft <madduck@madduck.net>
- Re: cvs security - ssh vs pserver?
  - From: Dave Sherohman <esper@sherohman.org>
- Re: cvs security - ssh vs pserver?
  - From: dman <dsh8290@rit.edu>

Prev by Date: Re: cvs security - ssh vs pserver?
Next by Date: inetd vs xinetd
Previous by thread: Re: cvs security - ssh vs pserver?
Next by thread: Re: cvs security - ssh vs pserver?
Index(es):
- Date
- Thread