[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security concern CVSROOT

From: Derek R. Price
Subject: Re: Security concern CVSROOT
Date: Sat, 28 Oct 2000 02:16:42 -0400

Martin Vogt wrote:

> 1. Authorisation
> ----------------
> The authoriatsion mechanism. Currently the client sends
> cvsroot,username,password
> in one single command.
> If a setuid wrapper, like cvsauth gets such a request,
> the user sends his clear text password if he accidently
> type :pserver insteas of :sslserver

Well, if you're daring enough to grab the dev version you can redirect
the port CVS is accessing, so localhost:33333 or something is unlikely
to send cleartext passwords anywhere unless you have your tunnel up.

Alternately, you could only allow ssh access (using :ext: and setting
CVS_RSH=ssh), then you don't have to trust the user not to try and use
pserver, but you have to allow the user an ssh shell on the server.


Derek Price                      CVS Solutions Architect ( )
mailto:address@hidden     OpenAvenue ( )
Information is the currency of democracy.

                        - Thomas Jefferson

reply via email to

[Prev in Thread] Current Thread [Next in Thread]