[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: secure CVS connection

From: Jonah Tsai
Subject: Re: secure CVS connection
Date: Sat, 2 Mar 2002 16:07:55 -0500

On Friday, March 1, 2002, at 08:09  PM, Greg A. Woods wrote:

[ On Saturday, March 2, 2002 at 00:10:21 (+0300), Leonid Krutyansky wrote: ]
Subject: secure CVS connection

I need to arrange a secure access to a CVS-server  through
Internet-firewall with a Windows-based graphic client.
Am  I right that Unix-based server and SSH protocol is the only
realistic possibility? Is there any CVS client for Windows that support Kerberos?

CVSNT works with gserver (Kerberos, currently), the newest version of WinCVS should work too (1.3b6). I run a Solaris CVS-gserver behind a Linksys NAT router at home and cvsnt clients come from some remote corners of the world, on platforms like Solaris, Linux, W2K/XP, MacOS X. One Windows client actually comes from behind another Linksys router.

KDC is a real pain to setup/administrate, so unless you can do KDC half-asleep, or you have large number of users that come and go, you'd better off kick it off with SSH -- a lot easier to get going.

However, KDC setup/administration can be "sloppily" simplified if you put up a packet filtering router like a Linksys so that only Kerberos traffics can go through, i.e. rely on the hardware packet filtering to fend off attacks instead of hardening the KDC machine. Again, this is SLOPPY! But it works for small setups where the real hard work for setup/administrating KDC (hardening and constant monitoring) does not justify what's gained.

Kerberos is only an authentication and authorisation protocol.  While it
can also be used to share keys that could be used for transport
encryption, CVS does not use it for that purpose.

Eh? What's the following function doing in src/server.c, if "CVS does not use it for that purpose"? I assume this function sets up the encryption with a client, according the the comments in the function. Unless this setup does not work for GSSAPI wrapping, otherwise the communication between client and server is encrypted.


static void
serve_gssapi_encrypt (arg)
     char *arg;
    if (cvs_gssapi_wrapping)
        /* We're already using a gssapi_wrap buffer for stream
           authentication.  Flush everything we've output so far, and
           turn on encryption for future data.  On the input side, we
           should only have unwrapped as far as the Gssapi-encrypt
           command, so future unwrapping will become encrypted.  */
        buf_flush (buf_to_net, 1);
        cvs_gssapi_encrypt = 1;

    /* All future communication with the client will be encrypted.  */
    cvs_gssapi_encrypt = 1;

    buf_to_net = cvs_gssapi_wrap_buffer_initialize (buf_to_net, 0,
    buf_from_net = cvs_gssapi_wrap_buffer_initialize (buf_from_net, 1,

    cvs_gssapi_wrapping = 1;

#endif /* HAVE_GSSAPI */

Jonah Tsai

reply via email to

[Prev in Thread] Current Thread [Next in Thread]