[cvsnt] SSPI Protocol security

Thomas Muller ttm at online.no
Fri Mar 7 14:40:42 GMT 2003


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Forgot to mention: the share is mapped with the administrator user (which
has the same credentials on both hosts - both the one running cvsnt and the
one hosting the share).

To all my knowledge, cvsnt should be able to access the repository. In a way
it does, because I'm able to login (CVS returns with successful login), and
as far as I know, the login procedure includes reading the ../CVSROOT/passwd
file. How can it be that it has permission to read this file, but not the
rest of the repository?

Any ideas?

--

Thomas

| -----Original Message-----
| From: cvsnt-bounces at cvsnt.org [mailto:cvsnt-bounces at cvsnt.org]On Behalf
| Of Thomas Muller
| Sent: 07 March 2003 13:42
| To: cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
| Subject: RE: [cvsnt] SSPI Protocol security
|
|
| Thanks a lot for the help so far. It's working now, but only when the
| repository is on the same box as the CvsNT server. When the
| repository is on
| a share, CVS does not seem to have permissions to read the repository.
| However, the permissions seem to be fine when I access the repository in
| pserver mode.
|
| My setup is as follows:
|
| CvsNt is unning on a box as administrator (configured in "Log on"
| tab in she
| service console). On this box I've added a user which is also added in the
| repository's passwd file. The user exists both on the host
| running CvsNt and
| on the host with the share, with the same password, and is a member of the
| administrators group on both hosts. I've even tried to run CvsNt as this
| user, but no luck. Cvs reports "[server aborted]: Cannot access
| G:\BaseCamp\VersionControl: Permission denied".
|
| Any ideas what's happening and the remedy?
|
| Thanks!
|
| --
|
| Thomas
|
|
|
|
| | -----Original Message-----
| | From: cvsnt-bounces at cvsnt.org [mailto:cvsnt-bounces at cvsnt.org]On Behalf
| | Of Bo Berglund
| | Sent: 07 March 2003 12:32
| | To: cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
| | Subject: RE: [cvsnt] SSPI Protocol security
| |
| |
| | Concerning "best practices" over Internet:
| | 1) Set up your server to *only* allow SSPI and other secure
| | protocols (like SSH)
| |    (Disable pserver by erasing the pserver_protocol.dll from the server)
| | 2) Open the firewall port 2401 and aim it towards your internal
| | CVSNT server.
| | 3) On the client side set your sspi as follows
| |    :sspi:user at server:/repository
| |    (server must be the firewall IP address in this case)
| |    Also make sure to check the encryption flag in WinCvs (button
| | to the right
| |    of the protocols selection combo).
| | 4) You must start on the client by doing a cvs login and enter
| the system
| |    password for the user. It will be sent encrypted and is also
| | stored in your
| |    client PC in a fairly secure way for reuse on later cvs operations.
| | 5) Now you can operate on this CVSNT server via the Internet as usual.
| |
| | I have done this myself and it works pretty well, actually the
| | combination of
| | encryption and compression makes it usable even on a dialup link to the
| | Internet provider.
| |
| | /Bo
| |
| |
| | -----Original Message-----
| | From: Tony Hoyle [mailto:tmh at nodomain.org]
| | Sent: den 7 mars 2003 11:44
| | To: cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
| | Subject: Re: [cvsnt] SSPI Protocol security
| |
| |
| | On Fri, 7 Mar 2003 09:33:19 -0000, "Thomas Muller"
| <ttm at online.no> wrote:
| |
| | >Hi,
| | >
| | >Apardon my ignorance regarding the different protocols and CVS
| | in general,
| | >but documentation is a bit scarce with respect to secruity implications
| | >excpect for the pserver protocol which is considered highly unsecure.
| | >
| | >How secure is SSPI? Is it just used for authentication and
| after that the
| | >actual transmission of commands and file contents is open?
| | >
| | It's a secure as MS wrote it...  Basically SSPI from a Win9x
| | machine is about
| | as secure as pserver (NTLMv1 is trivially crackable).  Between
| NT machines
| | though it's pretty secure.
| |
| | If you enable encryption then all the traffic is encrypted,
| | although there's
| | little documentation about what encryption is used so I couldn't say how
| | secure it is - I guess it's pretty secure as I've never heard of anyone
| | cracking it.
| |
| | Tony
| |
| | _______________________________________________
| | cvsnt mailing list
| | cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
| | http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs
| | _______________________________________________
| | cvsnt mailing list
| | cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
| | http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs
| |
| |
|
|
|
| *************************************************************************
| Copyright ERA Technology Ltd. 2002. (www.era.co.uk). All rights reserved.
| The information supplied in this Commercial Communication should
| be treated
| in confidence.
| No liability whatsoever is accepted for any loss or damage
| suffered as a result of accessing this message or any attachments.
|
| ________________________________________________________________________
| This email has been scanned for all viruses by the MessageLabs SkyScan
| service. For more information on a proactive anti-virus service working
| around the clock, around the globe, visit http://www.messagelabs.com
| ________________________________________________________________________
| _______________________________________________
| cvsnt mailing list
| cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
| http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs
|
|



*************************************************************************
Copyright ERA Technology Ltd. 2002. (www.era.co.uk). All rights reserved. 
The information supplied in this Commercial Communication should be treated
in confidence.
No liability whatsoever is accepted for any loss or damage 
suffered as a result of accessing this message or any attachments.

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________


More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook