[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confusion regarding pserver to extssh switch.
|
From: |
Mark D. Baushke |
|
Subject: |
Re: Confusion regarding pserver to extssh switch. |
|
Date: |
Wed, 05 Oct 2005 13:13:59 -0700 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Shaun T. Erickson <address@hidden> writes:
> On 10/4/05, Mark D. Baushke <address@hidden> wrote:
> >
> >
> > :pserver: is a completely separate execution path from using :ext: (or
> > :extssh:).
> >
> > For :ext:, the user needs their own account and they will be running
> > commands from their clients like:
> >
> > ssh cvs-server-machine.your.domain cvs server
> >
> > in order to start a 'cvs' command on your server machine with the
> > 'server' argument.
>
>
> Yes, I knew they needed their own accounts. As for how the connect, they
> will be doing so from Windows boxen, from within the Eclipse IDE software.
> It may internally do as you say above, but that's not really what is
> concerning me.
>
> Are you saying I have to give up the feature of having all user sessions
> running as cvs, if we use extssh?
Yes.
> I would prefer not to have files in the repository owned by the
> various developers, but have owner
You have no choice for owner, but you could probably write a loginfo
trigger that runs a set-uid program to change ownership of the ,v file
to be user 'cvs' or have a commit otherwise trigger such a change of
ownership.
> and group be cvs,
Group is typically able to be forced using set-gid on directories in the
repository for those filesystems that do not follow FreeBSD semantics to
inherit the parent directory gid by default.
It is also possible to run cvs in set-gid mode such that any user
running cvs will be in group 'cvs', but otherwise not able to do
anything as that group... care must be taken in the trigger scripts to
ensure that privilege escallation does not occur.
> which I currently have with pserver.
Right. Pserver lies about which user process is writing files. This is
one of the reasons that it is not necessarily as secure as having the
operating system running the authentication and authorization steps.
> From the way you describe how users connect when using extssh, it sounds
> like both the login passwords and the subsequent file transfers will all be
> encrypted, yes? That is what I'm looking to have, while keeping everything
> as owner & group cvs.
Ssh does everything over encrypted connections.
:pserver: does everything in the clear.
While you could do port forwarding for port 2401 and play games to send
your :pserver: connection over ssh, this is NOT typically what is meant
by using CVS with SSH over the :ext: protocol.
-- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQFDRDQHCg7APGsDnFERApNNAKC7n/O3BALPryZ8AW6oU8SIkMbKGgCgkvgv
tAfvPWkluMo7WIWNBzpR3WI=
=Tc12
-----END PGP SIGNATURE-----