Date: Mon, 5 Apr 2004 11:48:37 +0100 (BST) From: Jan Grant <Jan.Grant@bristol.ac.uk> To: dave <dmehler26@woh.rr.com> Cc: freebsd-questions@freebsd.org Subject: Re: secure cvs server, urgent Message-ID: <Pine.GSO.4.58.0404051141430.9509@mail.ilrt.bris.ac.uk> In-Reply-To: <000c01c41a92$cf1e3fb0$0200a8c0@satellite> References: <000c01c41a92$cf1e3fb0$0200a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 4 Apr 2004, dave wrote: > Hello, > I'm wanting to offer cvs services to a select group of users from my > internal server. I need this to be as secure as possible using ssh. I've > tried cvsd, and although it starts when i try to log in, i'm using :pserver: > at the moment, i get the message, premature end of file from server, consult > above messages if any. There are none and nothing in the logs. When i tried > to use the :ext method i got the error: > login can only be used with the pserver method. > If anyone has secure cvs services going behind a firewall to users on > the net please let me know. > Thanks. > Dave. Depends what you mean by "secure". Typical use with ssh is to set CVSROOT=:ext:$USER@server:/path/to/cvs/repo CVS_RSH=ssh in which case the user will need an account on your machine. If you set up public/private key pairs then cvs access from the command line is seamless without requiring "cvs login" (you use ssh-agent to keep your passphrases for you). You can "force" a command line by configuring the user's .ssh/authorized_keys file; you might want to consider setting up a jailed environment for your users with sshd and cvs in it. Even after all that, cvs still has enough mechanisms to permit the execution of arbitrary programs on the server with the user's credentials; so your cvs server still effectively has a high level of trust in your users. If you want something "secure" like this you might want to consider an alternative source control system. Or maybe, if licensing permits, offload that risk to sourceforge, who've got a lot of practice at this sort of thing. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Personal responsibility for corporate decisions: if they've nothing to hide, they've nothing to lobby against.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.58.0404051141430.9509>