[cvsnt] Re: CVSNT Best Practise...

Tony Hoyle tmh at nodomain.org
Wed Apr 23 00:40:49 BST 2003


Christer Grimsæth wrote:

> 1) Whitch protocoll do I use?
> We're thinking of using the (new) sserver (SSL) protocol. Does this sound
> resonable?

Seems OK.  If you want real security make sure the clients are set to check
the server certificate (there's a registry setting to make this the default
on the clients - see the ReadMe file in the wiki) & give the server a valid
certificate.

> Is it possible to use the sspi protocol in this setup? (Remember the
> server is not in our NT-domain).

Yes - if you just add users on the cvs server they'll validate using SSPI. 
Not as secure as sserver (no endpoint validation so you're open to DNS
spoofing etc.) but much more convenient.

> 2) Should I use the "passwd" file or should I create every user on the
> windows box?

With sspi you have no choice - the users must all exist on the machine. 
With sserver it really depends on what you want to do with them.

> If we use the passwd file, can I share it between multiple cvs
> repositories? If we are _not_ using the passwd file, can we still use the
> "cvs passwd" command ?

No - 'cvs passwd' modifies CVS specific users only... there are lots of
remote admin tools for NT that'll do the same for NT Users.
 
> 3) How do I grant access (None, Read and Write) to repositories? And to
> modules inside repositories?
> Do I need the "group" file for this, or do I only use NT groups (and NTFS
> access)?

NTFS access is better from a security point of view - cvs acls are really
designed only as a backup for doing things like locking individual
branches.
 
> As you can understand, I'm mostly conserned about the "managebility" and
> administrative effort needed to get this up and running. I would realy
> like to be able to "disable a user", configure "password expire" for a
> user, grant "write access to rep A on module xyz", and so on...

If you want expiry, auditing and things like that you're pretty much forced
to use NT users.. the cvs user mechanism isn't designed to work at that
level.
 
If your machine is a Win2000 machine you should be able to do all the user
admin via the Active Directory..  usrmgr.exe can be persuaded to do the
same thing under NT4 sometimes.  If you have secure VPN access to the
machine it's much safer to rely on NT security to handle the permissions
(then use sserver for the users to connect as above).

Tony



More information about the cvsnt mailing list