[cvsnt] Securing pserver on CVSNT: tunneling with ssh
David Somers
dsomers at omz13.com
Thu Aug 10 14:42:27 BST 2006
Damien Moore wrote:
Note: Excite really garbled your message. Groan.
[snip]
> Another problem is if I have port 2401 open,
> pserver switched off, require encryption turned on, but I accidentally
> cvs -d :pserver:user"at"repos:/repos login (instead of sserver) its not
> clear to me that the password isn't being sent down the insecure channel
> despite the failure of login - i get a nondescript -1 error. (with only
> require authentication turned on it seems that i can
> actually login with pserver, just can't run commands). Can you confirm
> that the password isn't being sent down the unsecure channel in this
> scenario?
[snip].
Sorry to say, when you use pserver, by accident or otherwise, your password
will be exposed (albeit in a trivially encoded manner).
You could avoid this by, either:
1. Not installing the pserver protocol on your client machine. (If the
protocol isn't there you can't accidentally use it... but you then won't be
able to use pserver to connect to any anonymous sites).
2. Connect indirectly via a proxy which munges from pserver to sserver... I
just posted a message to this list about my cvssproxy add which does just
that :-)
--
David Somers
typographer/programmer/whatever
More information about the cvsnt
mailing list