[cvsnt] SSPI Protocol security

Bo Berglund Bo.Berglund at system3r.se
Fri Mar 7 12:32:05 GMT 2003


Concerning "best practices" over Internet:
1) Set up your server to *only* allow SSPI and other secure protocols (like SSH)
   (Disable pserver by erasing the pserver_protocol.dll from the server)
2) Open the firewall port 2401 and aim it towards your internal CVSNT server.
3) On the client side set your sspi as follows
   :sspi:user at server:/repository
   (server must be the firewall IP address in this case)
   Also make sure to check the encryption flag in WinCvs (button to the right
   of the protocols selection combo).
4) You must start on the client by doing a cvs login and enter the system
   password for the user. It will be sent encrypted and is also stored in your
   client PC in a fairly secure way for reuse on later cvs operations.
5) Now you can operate on this CVSNT server via the Internet as usual.

I have done this myself and it works pretty well, actually the combination of
encryption and compression makes it usable even on a dialup link to the
Internet provider.

/Bo


-----Original Message-----
From: Tony Hoyle [mailto:tmh at nodomain.org]
Sent: den 7 mars 2003 11:44
To: cvsnt at cvsnt.org
Subject: Re: [cvsnt] SSPI Protocol security


On Fri, 7 Mar 2003 09:33:19 -0000, "Thomas Muller" <ttm at online.no> wrote:

>Hi,
>
>Apardon my ignorance regarding the different protocols and CVS in general,
>but documentation is a bit scarce with respect to secruity implications
>excpect for the pserver protocol which is considered highly unsecure.
>
>How secure is SSPI? Is it just used for authentication and after that the
>actual transmission of commands and file contents is open?
>
It's a secure as MS wrote it...  Basically SSPI from a Win9x machine is about
as secure as pserver (NTLMv1 is trivially crackable).  Between NT machines
though it's pretty secure.

If you enable encryption then all the traffic is encrypted, although there's
little documentation about what encryption is used so I couldn't say how
secure it is - I guess it's pretty secure as I've never heard of anyone
cracking it.

Tony

_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt


More information about the cvsnt mailing list