info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: freezing cvs repository to rsync to a remote location


From: Todd Denniston
Subject: Re: freezing cvs repository to rsync to a remote location
Date: Fri, 05 Nov 2004 10:38:17 -0500

"Malhotra, Neti" wrote:
> 
> Todd,
> 
> I hate to jump in here, but I'm curious to know why pserver is not 
> recommended.  Also, could you tell me what the recommended method is?  I am 
> currently using pserver as well.
> 
> Thanks -
> Neti
> 
> -----Original Message-----
> From:  On Behalf Of Todd Denniston
> Sent: Friday, November 05, 2004 9:48 AM
> Subject: Re: freezing cvs repository to rsync to a remote location
<SNIP>
> If you are using pserver (not really a recommended method any more) then
<SNIP>
You have "no possibility of achieving even minimal accountability -- any
CVSpserver user can trivially spoof any other at several levels.  CVS is _NOT_
a security application, nor is it a multi-user operating system kernel." --
Greg A. Woods, 16 Dec 2002

.cvspass is trivialy encoded (very reversable) to store your password on the
client's system disk.

 There may be risks you are willing to accept included in the following
message but, I think Greg A. Woods does a good job here telling you MOST (but
not all) the risks you have from using pserver:
remember "CVS is not a security application." --- Greg A. Woods 23 Jan 2004
http://lists.gnu.org/archive/html/info-cvs/2004-01/msg00252.html

Although many have tried I have not seen any good arguments against the facts
Greg brings up.  He may not believe you can accept some of the risks he brings
up, but the risks do exist.

also see:
http://lists.gnu.org/archive/html/info-cvs/2004-06/msg00005.html
http://lists.gnu.org/archive/html/info-cvs/2004-10/msg00292.html

the following are some othere related links:
http://lists.gnu.org/archive/html/info-cvs/2002-12/msg00216.html
http://lists.gnu.org/archive/html/info-cvs/2000-10/msg00033.html
http://lists.gnu.org/archive/html/info-cvs/2000-10/msg00054.html

http://lists.gnu.org/archive/cgi-bin/namazu.cgi?query=pserver+security&submit=Search%21&idxname=info-cvs&max=20&result=normal&sort=score


:ext: with CVS_RSH=rsh ; Although setting up .rhosts weakens your system some,
at least you might figure out which of your real users need to be taken to
task, for setting it up too open.
:ext: with CVS_RSH=ssh ; this can be used to reduce MIM attacks and may have
some increased tracking ability, and the ability to shrink the number of
commands the users have access to, AND you have a good chance of figureing out
which of your real users need to be taken to task.

Not sure about the kerberos and windows methods.
:ext: with CVS_RSH=ssh is from my reading the preferred method currently.
-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane) 
Harnessing the Power of Technology for the Warfighter
The opinions expressed here are not sanctioned by and do not necessarily 
represent those of my employer.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]