Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
One thing that you can do for basic security is SSH tunneling. It requires that every user have a shell account on the machine with the CVS archive, but it works rather well in practice and should be very secure. Note that to my knowledge it only works on linux (due to a lack of an SSHD on NT) but the principles apply. 1. Setup your server to only have 1 world accessable port ... 22 for sshd. All other ports are blocked using hosts.deny in /etc. CVS is setup for pserver communications, but this is blocked from access from the network. 2. Users who want to access CVS log into the server using SSH, with the SSH port tunneling feature enabled. Local port 2401 is mapped to remote port 2401. 3. Run CVS on the local machine, attempting to connect to a cvs server on the local machine: cvs -d ":pserver:username at localhost" login 4. Now you should be connected to a local port which is tunneled through to the backend system, and all communications will be encrypted with the algorithm of your choice. (DES, 3DES, Blowfish, AES, etc) This isn't the most transparent way to access a server securely, but it does let you use native CVS features in a secure manner. Hope nobody minds the spam on a CVSNT list, but some of you may find it useful. CPU utilization for the stream encryption is similar to a -z 1 argument to CVS. Also note that on very fast networks with fast clients, you will need to enable encryption to "slow down" the server, otherwise the SSH tunnel in most clients runs out of FIFO space and you'll get end-of-file errors. This I have seen with both Putty and TTERM, two free terminal programs that support SSH. eric > -----Original Message----- > From: Koen [mailto:no at ssppaamm.com] > Sent: Thursday, February 21, 2002 3:13 AM > To: cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook > Subject: Re: [Cvsnt] Permissions for changing files in module > > > "Tony Hoyle" <tmh at nothing-on.tv> wrote in message > news:3c73d1d2.19432906 at tony-home... > > > On Wed, 20 Feb 2002 09:53:45 +0000 (UTC), "Koen" <no at ssppaamm.com> > > wrote: > > > >2. Use pserver protocol with impersonation > > >No ntserver protocol, because: (1) in that case the NT > passwords must be > > >sent over the net and they are easily decrypted, and (2) > we also need to > > >access the repository from Linux machines... > > > > If you're that bothered about security then pserver is the *worst* > > protocol to choose as the passwords are trivially > decrypted. Kerberos > > or SSH are needed for that level of security. > > Any pointer on a tutorial to set this up using SSH? > > > sspi is a good middle > > ground - you can in theory crack the NT passwords (they're MD5'd I > > believe) but it would take a couple of weeks on a fast machine > > provided you don't use passwords that aren't susceptible to a > > dictionary attack. > > So, if I use ntserver protocol the passwords are sent in a > better encrypted > way than when using pserver protocol? But can I still access > the repository > from a Linux machine if I choose to use ntserver protocol? > > > Users can set their own passwords using 'cvs passwd'. > > OK! > > Thanks a lot for all your help! > > Koen > > > _______________________________________________ > Cvsnt mailing list > Cvsnt at cvsnt.org > http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs > _______________________________________________ Cvsnt mailing list Cvsnt at cvsnt.org http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs