[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: secure CVS connection
From: |
Jonah Tsai |
Subject: |
Re: secure CVS connection |
Date: |
Sat, 2 Mar 2002 16:07:55 -0500 |
On Friday, March 1, 2002, at 08:09 PM, Greg A. Woods wrote:
[ On Saturday, March 2, 2002 at 00:10:21 (+0300), Leonid Krutyansky
wrote: ]
Subject: secure CVS connection
I need to arrange a secure access to a CVS-server through
Internet-firewall with a Windows-based graphic client.
Am I right that Unix-based server and SSH protocol is the only
realistic possibility? Is there any CVS client for Windows that
support Kerberos?
CVSNT works with gserver (Kerberos, currently), the newest version of
WinCVS should work too (1.3b6). I run a Solaris CVS-gserver behind a
Linksys NAT router at home and cvsnt clients come from some remote
corners of the world, on platforms like Solaris, Linux, W2K/XP, MacOS X.
One Windows client actually comes from behind another Linksys router.
KDC is a real pain to setup/administrate, so unless you can do KDC
half-asleep, or you have large number of users that come and go, you'd
better off kick it off with SSH -- a lot easier to get going.
However, KDC setup/administration can be "sloppily" simplified if you
put up a packet filtering router like a Linksys so that only Kerberos
traffics can go through, i.e. rely on the hardware packet filtering to
fend off attacks instead of hardening the KDC machine. Again, this is
SLOPPY! But it works for small setups where the real hard work for
setup/administrating KDC (hardening and constant monitoring) does not
justify what's gained.
Kerberos is only an authentication and authorisation protocol. While it
can also be used to share keys that could be used for transport
encryption, CVS does not use it for that purpose.
Eh? What's the following function doing in src/server.c, if "CVS does
not use it for that purpose"? I assume this function sets up the
encryption with a client, according the the comments in the function.
Unless this setup does not work for GSSAPI wrapping, otherwise the
communication between client and server is encrypted.
#ifdef HAVE_GSSAPI
static void
serve_gssapi_encrypt (arg)
char *arg;
{
if (cvs_gssapi_wrapping)
{
/* We're already using a gssapi_wrap buffer for stream
authentication. Flush everything we've output so far, and
turn on encryption for future data. On the input side, we
should only have unwrapped as far as the Gssapi-encrypt
command, so future unwrapping will become encrypted. */
buf_flush (buf_to_net, 1);
cvs_gssapi_encrypt = 1;
return;
}
/* All future communication with the client will be encrypted. */
cvs_gssapi_encrypt = 1;
buf_to_net = cvs_gssapi_wrap_buffer_initialize (buf_to_net, 0,
gcontext,
buf_to_net->memory_error);
buf_from_net = cvs_gssapi_wrap_buffer_initialize (buf_from_net, 1,
gcontext,
buf_from_net->memory_error);
cvs_gssapi_wrapping = 1;
}
#endif /* HAVE_GSSAPI */
Jonah Tsai