[cvsnt] pserver && encryption

Keith D. Zimmerman keith at eagle-solutions.com
Thu Jun 5 01:30:12 BST 2003 

So I upgraded my cvsnt server to 2.0.4; now looking into encryption and
the new sserver stuff...

	C:\builds\temp>cvs -d :sserver:server2:/ewcode version
	Client: Concurrent Versions System (CVSNT) 2.0.4 (client/server)
	Server: Concurrent Versions System (CVSNT) 2.0.4 (client/server)

To enable sserver or sspi over the internet, I open 2401 to the outside,
correct?  pserver, sserver, sspi, they all run on that port, correct?
So I set my server to "require encryption", then tested pserver to
verify that it is secure...

	C:\builds\temp>cvs -d :pserver:server2:/ewcode login
	Logging in to :pserver:Keith at server2:2401:/ewcode
	CVS password: *****************
	cvs [login aborted]: authorization failed: server server2
rejected access to /ewcode

First try: wrong password.  Oops, but look, the server rejected it.
Does that mean my password traversed the internet?

	C:\builds\temp>cvs -d :pserver:server2:/ewcode login
	Logging in to :pserver:Keith at server2:2401:/ewcode
	CVS password: *****************

Correct password, works this time...

	C:\builds\temp>cvs -d :pserver:server2:/ewcode co ebms\ebmscucf
	cvs [checkout aborted]: This protocol does not support
encryption

But now a checkout.  Finally, the encryption error hits, but methinks it
is too late...  I am more concerned about my domain passwords being um,
"borrowed" than I am about my code being "borrowed", because we have an
RDP port hanging open, and I am domain admin...  Very bad if people
"borrow" my password.  Fortunatly I know enough to test on the LAN
*before* opening the port on the external interface...

Also, as far as security:  If I set the server to "require encryption"
:spi: still seems to work.  There have been reports (in the past) that
windows authentication was "not good".  People deriding M$'s built in
auth. in internet explorer and IIS because it was dangerous, esp. w/
domain passwords.  Anybody know anything about this????

Also, one more question:  what is the cipher strength of the various
protocols - sserver, sspi - as compared to cygwin ssh?

keith d. zimmerman, mcsd 
eagle solutions

More information about the cvsnt mailing list