Re: [cvs] Re: Question on user repository restrictions

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cvs] Re: Question on user repository restrictions

From:	Jeremie Le Hen
Subject:	Re: [cvs] Re: Question on user repository restrictions
Date:	Fri, 30 Jun 2006 10:45:08 +0200
User-agent:	Mutt/1.5.11

Hello,

On Tue, Jun 27, 2006 at 03:27:12AM -0700, Mark D. Baushke wrote:
> > Which one is more secure? 
> 
> The least secure is :pserver: as it keeps a copy of the user's password
> in a $HOME/.cvspass minimally encoded. On a shared system, or one that
> is able to sniff communications traffic, it will become quickly easy for
> a cheat to impersonate another user.
> 
> The next least secure is :ext: with CVS_RSH=rsh (i.e., the berkeley
> rlogin/rsh system). It is farily easy to fool an rsh from a system
> where the user owns the 'root' login if it can be considered 'trusted'
> by the rlogin system, then anyone may impersonate anyone else.
> 
> The next most secure is probably :ext: with the CVS_RSH=ssh (or, windows
> clients may use Putty instead of ssh as the transport) which is another
> way to specify the :extssh: protocol. This method very secure unless the
> users share systems and one or more of them is able to run as root on the
> shared system in which case all bets are off.
> 
> The most secure is probably :gserver: which uses a
> ticket-granting-ticket from the KDC to authenticate the user.

I second this.  IMHO, :gserver: is a bit overkill to set for a programming
course.  :ext: with ssh is really simple of use.

If you don't want to provide full shell access onto the CVS server to you
students, you can use rssh [1].   It is then pretty easy to retrain the
usable commands to only cvs.  If you create one repository per student -
which is the most straightforward method - you could as well chroot each
user to its home directory where the repository stands.  Finally you just
have to drop a static cvs binary there (static, in order to avoid bothering
with shared libraries) and... voila !

I also think it would be worth setting up user quotas so that your
students cannot fill the disk up and prevent other one from working.

Best regards,

[1] http://www.pizzashack.org/rssh/index.shtml
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >

[Prev in Thread]

Current Thread

[Next in Thread]

Question on user repository restrictions, Luis, 2006/06/16
- Re: Question on user repository restrictions, Jim Hyslop, 2006/06/16
  - Re: Question on user repository restrictions, Aaron Bono, 2006/06/16
  - Re: Question on user repository restrictions, Aaron Bono, 2006/06/16
    - Re: Question on user repository restrictions, Jim Hyslop, 2006/06/16
- Re: [cvs] Question on user repository restrictions, Jeremie Le Hen, 2006/06/26
- Message not available
  - Re: Question on user repository restrictions, Luis, 2006/06/27
    - Re: Question on user repository restrictions, Mark D. Baushke, 2006/06/27
    - Re: [cvs] Re: Question on user repository restrictions, Jeremie Le Hen <=
- RE: Question on user repository restrictions, Arthur Barrett, 2006/06/17

Prev by Date: Access ADAM Users from CVS
Next by Date: CVS 1.11.22 is not creating CVS admin working directory
Previous by thread: Re: Question on user repository restrictions
Next by thread: RE: Question on user repository restrictions
Index(es):
- Date
- Thread