[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Setting up secure cvs server
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Setting up secure cvs server
- From: Joshua Rubin <joshua_(_at_)_cybertron_(_dot_)_cc>
- Date: Sun, 28 Nov 2004 07:46:19 -0700
Thanks! I think I will have to implement something like that. :)
I am wondering if anyone has successfully chrooted cvsupd?
Also, does anyone know how I can set cvsupd to run as an unpriviledged user?
cvsupd will be the only cvs server I will be running, the actual cvs changes
will be made over ssh, like in Patrick's suggestion.
On Saturday 27 November 2004 10:58 pm, Patrick Giagnocavo wrote:
> On Sat, Nov 27, 2004 at 10:34:06PM -0700, Joshua Rubin wrote:
> > Hi,
> > I am looking for some articles to aid in setting up a secure cvs and
> > cvsup server. I know that chrooting and using ssh are the way to go, but
> > I have found minimal information about how to do that. I would love to
> > set up remote password protected developer access without the obvious
> > risks of pserver, unchrooted and sending passwords in plain text. Way
> > too many security issues with doing that...
> I can't speak to your developers, but this is what has worked for me:
> 1. All developers who commit code get SSH access to the server, and
> use CVS over SSH to perform all CVS functions. If you want to lock it
> down further, you can setup SSH to only allow certain commands to be
> run, which denies an attacker access to a shell if a developer's
> account is compromised.
> 2. Anonymous checkout is done via allowing people to download
> tarballs and individual files via a Web interface. There is a
> Python-based web GUI which can serve up a CVS repository, something
> like viewcvs.py .
> I don't run pserver, and have found that the combination of allowing
> developers easy commits, and everyone else easy source code access via
> the Web, in either file by file or tarball form, to be something that
> is acceptable. It is a "good enough" solution, while being much more
Cassini Mission to Saturn
Ultraviolet Imaging Spectrograph (UVIS)
Assistant Team Lead
My PGP Public Key:
[demime 0.98d removed an attachment of type application/pgp-signature]
Visit your host, monkey.org