Professional Web Applications Themes

secure cvs on OS X - Mac Programming

Hi I have a CVS server running on my machine. It is serving up files perfectly. How do I get it to run via ssh so authentication and encryption are handled correctly? Specifically what do I have to do on the server side, and what on the client side. thanks g...

  1. #1

    Default secure cvs on OS X

    Hi

    I have a CVS server running on my machine. It is serving up files
    perfectly.

    How do I get it to run via ssh so authentication and encryption are
    handled correctly? Specifically what do I have to do on the server
    side, and what on the client side.

    thanks
    g
    Graham Matthews Guest

  2. #2

    Default secure cvs on OS X

    Hi

    I have a CVS server running on my machine. It is serving up files
    perfectly.

    How do I get it to run via ssh so authentication and encryption are
    handled correctly? Specifically what do I have to do on the server
    side, and what on the client side.

    thanks
    g
    Graham Matthews Guest

  3. #3

    Default Re: secure cvs on OS X

    IDavid Magda <dmagda+trace030710ee.ryerson.ca> wrote:
    > Graham Matthews <gymathewscofs.net> writes:
    > [...]
    > > How do I get it to run via ssh so authentication and encryption are
    > > handled correctly? Specifically what do I have to do on the server
    > > side, and what on the client side.
    >
    > Here's one way to do it:
    >
    > First on the server allow logins through ssh as a regular user.
    >
    > On the client, you can then setup SSH tunneling by doing this on the
    > client machine:
    >
    > userclient:~> ssh -L 1234:remote:9876 server "sleep 3600"
    >
    > It tells ssh(1) to setup a tunnel on port 1234 on the local (client)
    > machine to port 9876 on the machine 'remote' after logining in on
    > host 'server'. It then runs the command "sleep 3600" to keep the
    > connection going (you may want to use "top > /dev/null").
    >
    > This is the generic case; in your situation you would have 'remote'
    > and 'server' to the CVS server. Ports 1234 and 9876 should be 2401
    > (the default CVS port).
    >
    > After the tunnel is setup, point CVSROOT to localhost:2401
    > (:pserver:).
    Ok thanks for this.

    I guess I need to configure CVS to only allow local access as well
    right, so that people can only access pserver through ssh, and not
    directly over port 2401?

    graham
    Graham Matthews Guest

  4. #4

    Default Re: secure cvs on OS X

    IDavid Magda <dmagda+trace030710ee.ryerson.ca> wrote:
    > Graham Matthews <gymathewscofs.net> writes:
    > [...]
    > > How do I get it to run via ssh so authentication and encryption are
    > > handled correctly? Specifically what do I have to do on the server
    > > side, and what on the client side.
    >
    > Here's one way to do it:
    >
    > First on the server allow logins through ssh as a regular user.
    >
    > On the client, you can then setup SSH tunneling by doing this on the
    > client machine:
    >
    > userclient:~> ssh -L 1234:remote:9876 server "sleep 3600"
    >
    > It tells ssh(1) to setup a tunnel on port 1234 on the local (client)
    > machine to port 9876 on the machine 'remote' after logining in on
    > host 'server'. It then runs the command "sleep 3600" to keep the
    > connection going (you may want to use "top > /dev/null").
    >
    > This is the generic case; in your situation you would have 'remote'
    > and 'server' to the CVS server. Ports 1234 and 9876 should be 2401
    > (the default CVS port).
    >
    > After the tunnel is setup, point CVSROOT to localhost:2401
    > (:pserver:).
    Ok thanks for this.

    I guess I need to configure CVS to only allow local access as well
    right, so that people can only access pserver through ssh, and not
    directly over port 2401?

    graham
    Graham Matthews Guest

  5. #5

    Default Re: secure cvs on OS X

    In article <gymathews-9F2D38.12021916072003news.cofs.net>,
    Graham Matthews <gymathewscofs.net> wrote:
    > I have a CVS server running on my machine. It is serving up files
    > perfectly.
    >
    > How do I get it to run via ssh so authentication and encryption are
    > handled correctly? Specifically what do I have to do on the server
    > side, and what on the client side.
    If you want to just add a Mac OS X user for each person who needs to access the
    server remotely, then all you have to do is turn on SSH on the server, create
    the users, and make sure that repository permissions are set usefully. On the
    client, you have to set CVS_RSH to ssh in your environment, as per normal
    CVS/ssh proccedures.

    meeroh
    Miro Jurisic Guest

  6. #6

    Default Re: secure cvs on OS X

    In article <gymathews-9F2D38.12021916072003news.cofs.net>,
    Graham Matthews <gymathewscofs.net> wrote:
    > I have a CVS server running on my machine. It is serving up files
    > perfectly.
    >
    > How do I get it to run via ssh so authentication and encryption are
    > handled correctly? Specifically what do I have to do on the server
    > side, and what on the client side.
    If you want to just add a Mac OS X user for each person who needs to access the
    server remotely, then all you have to do is turn on SSH on the server, create
    the users, and make sure that repository permissions are set usefully. On the
    client, you have to set CVS_RSH to ssh in your environment, as per normal
    CVS/ssh proccedures.

    meeroh
    Miro Jurisic Guest

  7. #7

    Default Re: secure cvs on OS X

    Graham Matthews <gymathewscofs.net> writes:
    > I guess I need to configure CVS to only allow local access as well
    > right, so that people can only access pserver through ssh, and not
    > directly over port 2401?
    Well, you can still allow them to have access to port 2401 from
    anywhere... it just won't be secure. :)

    At where I work, we have a script called 'cvs-tunnel':

    #!/bin/ksh

    if [ -z $1"" ]; then
    echo "Usage: ${0##*/} cvs-host-ip"
    else
    ssh -f -L2401:${1}:2401 ${1} sleep 36000
    fi

    (It's ksh since we use it mostly on Solaris; haven't tried changing
    it to the more 'portable' Bourse shell: sh(1).)

    You run it a 'cvs-tunnel <cvs_server_ip>'. You can probably also just
    specify a hostname.

    When we need to access the CVS from a remote site, first thing we do
    is run that command, and then start hacking. Note, that after you run
    it the command line comes back. Every so often we have to kill it and
    restart it: haven't found an elegant way to keep things going.

    Note that, only one person per host has to run this command, and
    anyone that can access the port this script is run on can hop on the
    tunnel to the CVS server. This may or may not be an issue, but you
    should be aware of it.

    Also, it tries to connect as the current user you're logged in as on
    the local box. You could setup logins on the CVS server for only one
    user, e.g., 'cvslogin'. Any commits to the CVS tree will be done
    under the auspices of CVS' access controls. Just change the the lone
    "${1}" to (say) "cvslogin${1}".

    This way you only manage one account on the CVS server (aside from
    any admin accounts).

    You can also set things up so that only SSH public-keys are accepted
    as forms of authentication. This way, if someone wants access, they
    would have to give the admin. a key, which would be added to the list
    of 'authorized-keys' which are allowed to access the 'cvslogin'
    account.

    As you can see you can set things up to be either simple or complex
    depending on your needs.

    --
    David Magda <dmagda at ee.ryerson.ca>, [url]http://www.magda.ca/[/url]
    Because the innovator has for enemies all those who have done well under
    the old conditions, and lukewarm defenders in those who may do well
    under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
    David Magda Guest

  8. #8

    Default Re: secure cvs on OS X

    Graham Matthews <gymathewscofs.net> writes:
    > I guess I need to configure CVS to only allow local access as well
    > right, so that people can only access pserver through ssh, and not
    > directly over port 2401?
    Well, you can still allow them to have access to port 2401 from
    anywhere... it just won't be secure. :)

    At where I work, we have a script called 'cvs-tunnel':

    #!/bin/ksh

    if [ -z $1"" ]; then
    echo "Usage: ${0##*/} cvs-host-ip"
    else
    ssh -f -L2401:${1}:2401 ${1} sleep 36000
    fi

    (It's ksh since we use it mostly on Solaris; haven't tried changing
    it to the more 'portable' Bourse shell: sh(1).)

    You run it a 'cvs-tunnel <cvs_server_ip>'. You can probably also just
    specify a hostname.

    When we need to access the CVS from a remote site, first thing we do
    is run that command, and then start hacking. Note, that after you run
    it the command line comes back. Every so often we have to kill it and
    restart it: haven't found an elegant way to keep things going.

    Note that, only one person per host has to run this command, and
    anyone that can access the port this script is run on can hop on the
    tunnel to the CVS server. This may or may not be an issue, but you
    should be aware of it.

    Also, it tries to connect as the current user you're logged in as on
    the local box. You could setup logins on the CVS server for only one
    user, e.g., 'cvslogin'. Any commits to the CVS tree will be done
    under the auspices of CVS' access controls. Just change the the lone
    "${1}" to (say) "cvslogin${1}".

    This way you only manage one account on the CVS server (aside from
    any admin accounts).

    You can also set things up so that only SSH public-keys are accepted
    as forms of authentication. This way, if someone wants access, they
    would have to give the admin. a key, which would be added to the list
    of 'authorized-keys' which are allowed to access the 'cvslogin'
    account.

    As you can see you can set things up to be either simple or complex
    depending on your needs.

    --
    David Magda <dmagda at ee.ryerson.ca>, [url]http://www.magda.ca/[/url]
    Because the innovator has for enemies all those who have done well under
    the old conditions, and lukewarm defenders in those who may do well
    under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
    David Magda Guest

  9. #9

    Default Re: secure cvs on OS X

    John Doe <a.nonymousabuse.org> writes:
    > pserver is more secure than ssh (see my previous post on
    > this), because of one simple reason: ssh requires a local user
    > account, pserver does not, and you can lock down CVS much more
    > tightly with ACLs than you can with server-side directory and file
    > permissions.
    And what about the data that is tranversing the 'Net in the clear?

    I am not saying that you are wrong though, just bringing up a
    potential concern.

    --
    David Magda <dmagda at ee.ryerson.ca>, [url]http://www.magda.ca/[/url]
    Because the innovator has for enemies all those who have done well under
    the old conditions, and lukewarm defenders in those who may do well
    under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
    David Magda Guest

  10. #10

    Default Re: secure cvs on OS X

    John Doe <a.nonymousabuse.org> writes:
    > pserver is more secure than ssh (see my previous post on
    > this), because of one simple reason: ssh requires a local user
    > account, pserver does not, and you can lock down CVS much more
    > tightly with ACLs than you can with server-side directory and file
    > permissions.
    And what about the data that is tranversing the 'Net in the clear?

    I am not saying that you are wrong though, just bringing up a
    potential concern.

    --
    David Magda <dmagda at ee.ryerson.ca>, [url]http://www.magda.ca/[/url]
    Because the innovator has for enemies all those who have done well under
    the old conditions, and lukewarm defenders in those who may do well
    under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
    David Magda Guest

  11. #11

    Default Re: secure cvs on OS X

    In article <pan.2003.07.21.11.27.18.831977abuse.org>,
    John Doe <a.nonymousabuse.org> wrote:
    > On Sat, 19 Jul 2003 14:58:25 -0400, David Magda wrote:
    >
    > > Well, you can still allow them to have access to port 2401 from
    > > anywhere... it just won't be secure. :)
    >
    > pserver is more secure than ssh (see my previous post on this),
    And please see my reply. To summarize: The cvs doentation directly
    contradicts this statement and provides counterexamples; I was unable to
    find the cited discussions (or even the news group) on Google.
    > because of one simple reason: ssh requires a local user account, pserver
    > does not, and you can lock down CVS much more tightly with ACLs than you
    > can with server-side directory and file permissions.
    >
    > You have much more control of the code in cvs and your system
    > security with pserver than you do by opening up a potential point of
    > priviledge escalation through a local user account using ssh, all to save
    > a non-user's cvs password from being sniffed.
    --

    - rmgw

    <http://www.trustedmedianetworks.com/>

    ----------------------------------------------------------------------------
    Richard Wesley Trusted Media Networks, Inc.

    "Several of the outfits, Ignatius noticed, were new enough and expensive
    enough to be properly considered offenses against taste and decency."
    - John Kennedy Toole, _A Confederacy of Dunces_
    Richard Wesley Guest

  12. #12

    Default Re: secure cvs on OS X

    In article <pan.2003.07.21.11.27.18.831977abuse.org>,
    John Doe <a.nonymousabuse.org> wrote:
    > On Sat, 19 Jul 2003 14:58:25 -0400, David Magda wrote:
    >
    > > Well, you can still allow them to have access to port 2401 from
    > > anywhere... it just won't be secure. :)
    >
    > pserver is more secure than ssh (see my previous post on this),
    And please see my reply. To summarize: The cvs doentation directly
    contradicts this statement and provides counterexamples; I was unable to
    find the cited discussions (or even the news group) on Google.
    > because of one simple reason: ssh requires a local user account, pserver
    > does not, and you can lock down CVS much more tightly with ACLs than you
    > can with server-side directory and file permissions.
    >
    > You have much more control of the code in cvs and your system
    > security with pserver than you do by opening up a potential point of
    > priviledge escalation through a local user account using ssh, all to save
    > a non-user's cvs password from being sniffed.
    --

    - rmgw

    <http://www.trustedmedianetworks.com/>

    ----------------------------------------------------------------------------
    Richard Wesley Trusted Media Networks, Inc.

    "Several of the outfits, Ignatius noticed, were new enough and expensive
    enough to be properly considered offenses against taste and decency."
    - John Kennedy Toole, _A Confederacy of Dunces_
    Richard Wesley Guest

Similar Threads

  1. Secure PDF's merged into 1 doent from 2 different Secure Files, possible?
    By Lee_Borgioli@adobeforums.com in forum Adobe Acrobat Macintosh
    Replies: 3
    Last Post: August 25th, 03:37 PM
  2. secure intranet site with non secure sites?
    By wally in forum Windows Server
    Replies: 0
    Last Post: June 7th, 03:19 PM
  3. Replies: 0
    Last Post: October 30th, 12:07 AM
  4. Replies: 1
    Last Post: October 7th, 04:30 PM
  5. secure form on a non-secure page -> how?
    By BKDotCom in forum PHP Development
    Replies: 2
    Last Post: July 30th, 08:55 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139