[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: :ext: , ssh :pserver: relation question

From: Mark D. Baushke
Subject: Re: :ext: , ssh :pserver: relation question
Date: Mon, 24 Mar 2003 12:02:50 -0800

Ronald Petty <address@hidden> writes:

> Could someone explain the difference between using :ext: (with
> CVS_RSH=ssh) over using pserver and having tcpwrapper listen on 2401?
> Why would one do either over the other?
> Ron

With ssh, you are using strong authentication and there is no
possibility that someone else will be able to utilize any possible
security holes in cvs to spoof being someone else on your server

With pserver, your password is kept in a trivially obscured token in a
$HOME/.cvspass file and sent over the network in the clear. Once you
have connected to the 2401 server which is typically running as root you
run the possibility that someone will have found an exploit in cvs to
either become root on your server machine or to become someone else on
your server machine than was intended.

Use your favorite search engine and look for the keywords:

  cvs pserver security

for examples that have arisen in the past and realize that it is possible
that other bugs still exist.

If the problem is that you need anonymous CVS access, you may wish to
look at the following link:

Anonymous CVS access via ssh

I know that a number of folks have already talked about security issues
and CVS. I suggest you read the "Linux security issues as they pertain
to CVS" thread that starts here:

if you need/want more background on security.

        -- Mark

reply via email to

[Prev in Thread] Current Thread [Next in Thread]