[Cvsnt] Permissions for changing files in module
Mudama, Eric
eric_mudama at maxtor.com
Thu Feb 21 18:53:35 GMT 2002
One thing that you can do for basic security is SSH tunneling. It requires
that every user have a shell account on the machine with the CVS archive,
but it works rather well in practice and should be very secure. Note that
to my knowledge it only works on linux (due to a lack of an SSHD on NT) but
the principles apply.
1. Setup your server to only have 1 world accessable port ... 22 for sshd.
All other ports are blocked using hosts.deny in /etc. CVS is setup for
pserver communications, but this is blocked from access from the network.
2. Users who want to access CVS log into the server using SSH, with the SSH
port tunneling feature enabled. Local port 2401 is mapped to remote port
2401.
3. Run CVS on the local machine, attempting to connect to a cvs server on
the local machine: cvs -d ":pserver:username at localhost" login
4. Now you should be connected to a local port which is tunneled through to
the backend system, and all communications will be encrypted with the
algorithm of your choice. (DES, 3DES, Blowfish, AES, etc)
This isn't the most transparent way to access a server securely, but it does
let you use native CVS features in a secure manner. Hope nobody minds the
spam on a CVSNT list, but some of you may find it useful. CPU utilization
for the stream encryption is similar to a -z 1 argument to CVS. Also note
that on very fast networks with fast clients, you will need to enable
encryption to "slow down" the server, otherwise the SSH tunnel in most
clients runs out of FIFO space and you'll get end-of-file errors. This I
have seen with both Putty and TTERM, two free terminal programs that support
SSH.
eric
> -----Original Message-----
> From: Koen [mailto:no at ssppaamm.com]
> Sent: Thursday, February 21, 2002 3:13 AM
> To: cvsnt at cvsnt.org
> Subject: Re: [Cvsnt] Permissions for changing files in module
>
>
> "Tony Hoyle" <tmh at nothing-on.tv> wrote in message
> news:3c73d1d2.19432906 at tony-home...
>
> > On Wed, 20 Feb 2002 09:53:45 +0000 (UTC), "Koen" <no at ssppaamm.com>
> > wrote:
>
> > >2. Use pserver protocol with impersonation
> > >No ntserver protocol, because: (1) in that case the NT
> passwords must be
> > >sent over the net and they are easily decrypted, and (2)
> we also need to
> > >access the repository from Linux machines...
> >
> > If you're that bothered about security then pserver is the *worst*
> > protocol to choose as the passwords are trivially
> decrypted. Kerberos
> > or SSH are needed for that level of security.
>
> Any pointer on a tutorial to set this up using SSH?
>
> > sspi is a good middle
> > ground - you can in theory crack the NT passwords (they're MD5'd I
> > believe) but it would take a couple of weeks on a fast machine
> > provided you don't use passwords that aren't susceptible to a
> > dictionary attack.
>
> So, if I use ntserver protocol the passwords are sent in a
> better encrypted
> way than when using pserver protocol? But can I still access
> the repository
> from a Linux machine if I choose to use ntserver protocol?
>
> > Users can set their own passwords using 'cvs passwd'.
>
> OK!
>
> Thanks a lot for all your help!
>
> Koen
>
>
> _______________________________________________
> Cvsnt mailing list
> Cvsnt at cvsnt.org
> http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
>
_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
More information about the cvsnt
mailing list