[Cvsnt] PServer Security

Mudama, Eric eric_mudama at maxtor.com
Tue Mar 26 20:11:26 GMT 2002


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


One of the more common ways is with SSH, but I don't know how to do this
with an NT server.

On unix server (solaris/linux/etc -- clients can be whatever) you would do
the following:

1. setup CVS server with pserver active, set your hosts.allow to only accept
incoming SSH connections (port 22) (you MUST block remote port 2401 access)
2. setup SSHD on the server with port forwarding allowed
3. setup local machine with
CVSROOT=:pserver:<server_username>@localhost:<path_on_server>
4. enable SSH tunneling in your SSH client and port forwarding for this
mapping:

	localhost:2401 -> server:2401

5. SSH login into the CVS server
6. while SSH'd into local server, run the CVS commands locally.  Your SSH
client program will intercept requests to port 2401, and forward them
through the encrypted tunnel to the CVS server.  Data coming back will also
be on this TCP socket, and therefore encrypted.

Advantages of this method:

1. Works just as well for truly remote machines as for local machines
2. With a different hosts.allow, you can enable standard :pserver: for, say,
machines on your subnet without hurting sitewide security too much (given
the clients are all secure)
3. The encryption has been proven in practice to be quite secure... SSH/SSL,
with the exception of the buffer overflow found a month ago and the known
password sending problems in SSH versions <1.5, is trusted by BSD and many
other groups known for their attention to security.
4. Requires SSH login validation before any CVS commands can be performed,
and SSH2 I believe is designed to defeat man-in-the-middle type attacks.

Disadvantages of this method:

1. You must log in with SSH before you can use CVS, therefore you must have
at least semi-functional accounts on said server, which is potentially a
security risk if a local exploit is discovered in the OS.
2. Requires an SSH client.  There are free ones available (PuTTY does SSH2,
TeraTermPro/SSH only does SSH1), but many are commercial implementations.
(They often come with X servers like Hummingbird eXceed)

--eric


> -----Original Message-----
> From: Mike Shoemaker [mailto:shoemaker_m at yahoo.com]
> Sent: Tuesday, March 26, 2002 11:26 AM
> To: cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
> Subject: [Cvsnt] PServer Security
>
>
> Anyway to make pserver more secure over the internet?
>
>
>
>
> _______________________________________________
> Cvsnt mailing list
> Cvsnt at cvsnt.org
> http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs
>
_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs



More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook