[cvsnt] SSPI Protocol security

Fri Mar 7 13:42:12 GMT 2003

Thanks a lot for the help so far. It's working now, but only when the
repository is on the same box as the CvsNT server. When the repository is on
a share, CVS does not seem to have permissions to read the repository.
However, the permissions seem to be fine when I access the repository in
pserver mode.

My setup is as follows:

CvsNt is unning on a box as administrator (configured in "Log on" tab in she
service console). On this box I've added a user which is also added in the
repository's passwd file. The user exists both on the host running CvsNt and
on the host with the share, with the same password, and is a member of the
administrators group on both hosts. I've even tried to run CvsNt as this
user, but no luck. Cvs reports "[server aborted]: Cannot access
G:\BaseCamp\VersionControl: Permission denied".

Any ideas what's happening and the remedy?

Thanks!

--

Thomas

| -----Original Message-----
| From: cvsnt-bounces at cvsnt.org [mailto:cvsnt-bounces at cvsnt.org]On Behalf
| Of Bo Berglund
| Sent: 07 March 2003 12:32
| To: cvsnt at cvsnt.org
| Subject: RE: [cvsnt] SSPI Protocol security
|
|
| Concerning "best practices" over Internet:
| 1) Set up your server to *only* allow SSPI and other secure
| protocols (like SSH)
|    (Disable pserver by erasing the pserver_protocol.dll from the server)
| 2) Open the firewall port 2401 and aim it towards your internal
| CVSNT server.
| 3) On the client side set your sspi as follows
|    :sspi:user at server:/repository
|    (server must be the firewall IP address in this case)
|    Also make sure to check the encryption flag in WinCvs (button
| to the right
|    of the protocols selection combo).
| 4) You must start on the client by doing a cvs login and enter the system
|    password for the user. It will be sent encrypted and is also
| stored in your
|    client PC in a fairly secure way for reuse on later cvs operations.
| 5) Now you can operate on this CVSNT server via the Internet as usual.
|
| I have done this myself and it works pretty well, actually the
| combination of
| encryption and compression makes it usable even on a dialup link to the
| Internet provider.
|
| /Bo
|
|
| -----Original Message-----
| From: Tony Hoyle [mailto:tmh at nodomain.org]
| Sent: den 7 mars 2003 11:44
| To: cvsnt at cvsnt.org
| Subject: Re: [cvsnt] SSPI Protocol security
|
|
| On Fri, 7 Mar 2003 09:33:19 -0000, "Thomas Muller" <ttm at online.no> wrote:
|
| >Hi,
| >
| >Apardon my ignorance regarding the different protocols and CVS
| in general,
| >but documentation is a bit scarce with respect to secruity implications
| >excpect for the pserver protocol which is considered highly unsecure.
| >
| >How secure is SSPI? Is it just used for authentication and after that the
| >actual transmission of commands and file contents is open?
| >
| It's a secure as MS wrote it...  Basically SSPI from a Win9x
| machine is about
| as secure as pserver (NTLMv1 is trivially crackable).  Between NT machines
| though it's pretty secure.
|
| If you enable encryption then all the traffic is encrypted,
| although there's
| little documentation about what encryption is used so I couldn't say how
| secure it is - I guess it's pretty secure as I've never heard of anyone
| cracking it.
|
| Tony
|
| _______________________________________________
| cvsnt mailing list
| cvsnt at cvsnt.org
| http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
| _______________________________________________
| cvsnt mailing list
| cvsnt at cvsnt.org
| http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
|
|

*************************************************************************
Copyright ERA Technology Ltd. 2002. (www.era.co.uk). All rights reserved. 
The information supplied in this Commercial Communication should be treated
in confidence.
No liability whatsoever is accepted for any loss or damage 
suffered as a result of accessing this message or any attachments.

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________