RE: Remote cvs and security

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Remote cvs and security

From:	Colin Bester
Subject:	RE: Remote cvs and security
Date:	Mon, 10 Sep 2001 19:37:23 -0500

Greg, I would like to know what alternatives you are referring to.

The way I understand it is that all passwords used between client and
pserver are sent in clear text and as such irrespective of what you do,
it would be very easy to listen in on these and gain access to the
software files.

While cvs might have been designed for free source development and some
of us even agree with it, we don't always have this freedom of choice
and need to protect our data.

I am pretty new to these aspects as I have always worked in a closed and
'safe' environment and now find myself at the other end of the spectrum.

I would really appreciate some comments on what the correct steps would
be to secure this link.

Colin Bester    address@hidden

> -----Original Message-----
> From: address@hidden [mailto:address@hidden 
> On Behalf Of Greg A. Woods
> Sent: Monday, September 10, 2001 17:11 PM
> To: Josh Baudhuin
> Cc: CVS-II Discussion Mailing List
> Subject: RE: Remote cvs and security
> 
> 
> [ On Monday, September 10, 2001 at 14:22:25 (-0700), Josh 
> Baudhuin wrote: ]
> > Subject: RE: Remote cvs and security
> >
> > Well, pserver + CVSROOT/passwd is one thing, but using pserver with 
> > the default authentication of the system isn't so bad. 
> Passwords are 
> > stored in the same way that /etc/passwd encrypts them.
> 
> I suppose that's fine if you've got a 100% private and 100% trusted
> (Virtual) Private Network, and you 100% trust all the clients 
> on that network, and provided that you don't need any real security.
> 
> CVS pserver with CVSROOT/passwd is a security nightmare 
> otherwise.  It realy has no valid justification to exist at 
> all and should be eliminated because even on a 100% trusted 
> VPN the alternatives are still infinitely better from a 
> security perspective (there's absolutely no accountability 
> with pserver).
> 
> -- 
>                                                       Greg A. Woods
> 
> +1 416 218-0098      VE3TCP      <address@hidden>     
> <address@hidden>
> Planix, Inc. <address@hidden>;   Secrets of the Weird 
> <address@hidden>
> 
> _______________________________________________
> Info-cvs mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/info-cvs
>

[Prev in Thread]

Current Thread

[Next in Thread]

Remote cvs and security, Colin Bester, 2001/09/10
- Re: Remote cvs and security, Mike Castle, 2001/09/10
  - RE: Remote cvs and security, Josh Baudhuin, 2001/09/10
    - RE: Remote cvs and security, Greg A. Woods, 2001/09/10
    - RE: Remote cvs and security, Colin Bester <=
    - Re: Remote cvs and security, Alex Holst, 2001/09/10
    - Re: Remote cvs and security, Greg A. Woods, 2001/09/11
    - RE: Remote cvs and security, Greg A. Woods, 2001/09/11
- Re: Remote cvs and security, David Fuller, 2001/09/10
- RE: Remote cvs and security, Jonah Tsai, 2001/09/11

Prev by Date: ADV: I bet that I make more money in the Web design business than you do. Time:6:42:46 PM
Next by Date: Re: checking in links to source control
Previous by thread: RE: Remote cvs and security
Next by thread: Re: Remote cvs and security
Index(es):
- Date
- Thread