[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure remote CVS
Re: Secure remote CVS
06 Feb 2001 10:19:01 +0100
Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Capitol Reef)
Mike Castle <address@hidden> writes:
> On Mon, Feb 05, 2001 at 05:05:51PM -0600, David H. Thornley wrote:
> > I recommended setting CVS_RSH=ssh, and was told that the users
> > then had to type in their password for every file being transferred,
> > and that is more typing than they're willing to put up with.
Depends on the authentication method you're using. For RSA or DSA
authentication, ssh-agent alleviates the need for the user to supply
passphrases. Apart from that, unless you already have a secure
infrastructure like IPsec in place, SSH is probably the way to go.
> On all of the clients, run ssh-keygen and supply NO passphrase (It turns
> out the particular port that I used was broken in this aspect. So I had
> to run ssh-keygen on the unix box and ftp files back. It was a pain,
> but worked. Apparently there is a work around for this particular port,
> but I forget what it is).
> Then we did the appropriate things with public/private key files onto the
> server (been a while since set it up so don't remember details).
> Now, problem with this is that any access to this machine/account now
> allows access to the cvs server without another need for a password. Is
> that sufficient or not?
Not really a problem unless the private key has been compromised
(e.g. stolen). In such situations, it could be important to have
passphrase-protected keys; and since it's painless to use them with
ssh-agent... Also, generally, a policy for key aging/retirement
might be in order.
> If using a Cygwin port, can you do things with ssh-agent to have it up and
> running? I've never used ssh-agent so don't know if it would serve this
> purpose or not.
Yes, that works as advertised with the SSH Version OpenSSH_2.3.0p1
package on Cygwin 1.1.7. The setup of OpenSSH on the client is
conveniently scripted (/usr/bin/ssh-config).
Great stuff, Cygwin: http://sources.redhat.com/cygwin/.
Michael Diers mailto:address@hidden
Senior Developer / Solution Architect
elego software solutions GmbH http://www.elego.de/