[PLUG] CVS server security

[Will Andrews]

--MdEjg5WkSuUg8x46
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Feb 12, 2001 at 10:56:40AM -0500, Ian Neath wrote:
> I've set up a cvs server and I have a general question about how secure
> the following setup is (I've never done remote CVS before).  I've gone
> through cvshome.org and cvsbook.red-bean.com.
>=20
> The server runs Debian (fresh install of potato, with all updates), and
> the client machines will use OpenSSH (CVS_RCS=3Dssh).
>=20
> /etc/inetd has the following entry:
>=20
> cvspserver      stream  tcp     nowait.400      root    /usr/sbin/tcpd
> /usr/bin/cvs -b /usr/bin --allow-root=3D/foo/cvsroot pserver
>=20
> I have hosts.deny set to ALL: ALL
>=20
> I have hosts.access set to sshd: ALL and cvs: ALL
>=20
> I'm not running any other services (e.g., no httpd, no portmap, no nfs,
> no ftp).  Nmap shows only ports 22 (ssh) and 2401 (cvspserver) open.
>=20
> In CVSROOT/config I have SystemAuth=3Dno
>=20
> In CVSROOT/ I have a passwd file that contains only 3 users and their
> crypted passwords.  I do not have an "anonymous" user listed.
>=20
> Is this a reasonably secure setup or have I missed something?  (For
> example, I'm not concerned about physical security or firewalls at this
> point.)

Well, you might want to consider simply giving the users in question
accounts on the machine and using CVS_RSH=3Dssh, CVSROOT=3Dmachine:/path/to=
/root
for authentication purposes.  However, if you really require cvspserver, the
above should suffice (but a firewall would be a good idea; block access from
all unknown hosts).

--=20
wca

--MdEjg5WkSuUg8x46
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (SunOS)
Comment: For info see http://www.gnupg.org

iD8DBQE6iE+tF47idPgWcsURApyWAKCLax+9afTEyewwnyg5AZviXmVvEwCgjiKy
KG06dOVnoN7aae7PO0dFdfM=
=olW2
-----END PGP SIGNATURE-----

--MdEjg5WkSuUg8x46--