[cvsnt] Securing pserver on CVSNT: tunneling with ssh

[David Somers]

Tony Hoyle wrote:

> David Somers wrote:
>> Actually, it doesn't need a GUI since it (ab)uses the root connection
>> string to indicate the remote host required... thoughts on that most
>> welcome.
> 
> I thought of that, and it works for most applications, but it would also
> be nice to support profiles eg. different protocols, ports, etc.

I may be convinced that being able to proxy to a different destination port
might be useful... but are there practical reasons to having a cvsnt server
bind to a port other than its official IANA registered one?

I'm less convinced that being able to support other protocols is necessary.
If you want to use a secure connection and your brain dead client app only
supports pserver or its too much grief to get it to do otherwise, then
cvssproxy is a lightweight solution that works. It may be tempting to have
the proxy switch from pserver to sspi, but I think there are practical and
security implications against it. Comments for and against welcome.

> Kinda the way putty does it - if you have a profile by that name it uses
> that otherwise it uses the defaults.

Yep. I know what you mean... I tend to use PuTTY a heck of a lot

> Hmm.. I see you did it by talking to ssl directly.

Yes. KISS.

> If you want to support 
> different protocols link to cvsapi...  

Sure.

> have a look at the extnt source - 
> it's really simple and could be abused to make a proxy pretty easily
> (which is what I was intending to do).

But as I said above, I'm not convinced that supporting other protocols is
really necessary.

> Of course yours has the advantage that it's completely standalone...

When a proxy doesn't follow the KISS method its more inclined to break :-)

I'll probably statically link the SSL stuff (instead of using DLLs) so at
the end of the day it'll have no dependencies too. Can't get much simpler
than that :-)

-- 
David Somers
typographer/prograsmmer/whatever