[cvsnt] SSH

Thu Feb 5 08:44:00 GMT 2004

Well, the server is still in test, so we are currently living with this "SYSTEM:" problem.  If you follow the link previously mentioned on this message, the sender proposes to use this ssh server: http://vandyke.com/, witch could be an option if they don't license on a "per user" basis.  I was going to test-drive it today as replacement of opensshd.  Another alternative (which is the best for me) is to use a unix flavor on the server.  Then you get a proper sshd and almost-instant update when a security warning is issued.

For the trafic forwarding: I don't know the details, but as far as I know we redirect all incoming trafic on port 22(ssh) on the firewall to an internal machine (the cvs server).  So the machine can only be accessed through this port from outside, an any other services running on this machine (http, mail, what-you-have,..) are accessible from the internal network.

Philippe Legrain
Software engineering
SCANDITRONIX-WELLHÖFER <http://www.scanditronix-wellhofer.com/>
Stålgatan 14
S-754 50 UPPSALA SWEDEN
Tel + 46 18 180793
philippe.legrain at scxmedical.se <mailto:philippe.legrain at scxmedical.se>

-----Original Message-----
From: ELoy at riverdeep.net [mailto:ELoy at riverdeep.net]
Sent: den 4 februari 2004 20:39
To: Philippe Legrain
Cc: cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
Subject: RE: [cvsnt] SSH

This is great news.  What SSH package are you using, and how did you
configure it for traffic forwarding?  I have been unable to get it to SSH
work with WinCVS.  Have you had any luck?

One additional requirement that I forgot:  The CVS machine is used for other
things.  We don't want external users to be able to use anything other than
CVS.

-Erin

-----Original Message-----
From: philippe.legrain at scxmedical.se [mailto:philippe.legrain at scxmedical.se]

Sent: Wednesday, February 04, 2004 12:37 AM
To: ELoy at riverdeep.net
Cc: cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
Subject: RE: [cvsnt] SSH

Hi,

I am setting up a cvs server using cvsnt in my company (two distant sites
will be using it), and we basically have the same base requirements as you
that is:
- server exposed on the internet
- the firewall forward connection through port 22 (ssh) from outside to the
cvs server
- accounts for cvs access are set locally on the machine.
- we would like to use rsa key authentication

The setup works fine so far, the only problem we are experiencing is on the
key authentication side.  We have set up the server with the free OpenSSHd
server and there is one well known issue with this particular server on
windows is that it doesnt actually record the submitters name into the
repository but record SYSTEM instead. What can prove very annoying when it
comes to source management.  This issue doesn't seem to happen with
commercial implementation of sshd server, so you might consider buying one
of those in order to have things running smoothly.

See http://www.cvsnt.org/pipermail/cvsnt/2001-December/000056.html for more

Philippe Legrain

-----Original Message-----
From: ELoy at riverdeep.net [mailto:ELoy at riverdeep.net]
Sent: den 4 februari 2004 09:24
To: grstarrett at cox.net; cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
Subject: RE: [cvsnt] SSH

 It would most likely need to be exposed on the Internet.  I can have our IT
guys punch a hole in our firewall, but only if I can assure them (and
demonstrate) that the connection is secure.  External users would probably
have local accounts on the machine, and internal users would use domain
credentials.  SSH/SSL style encryption would be required, and forcing
authentication via an RSA style key would be even better.  We already have
HTTP servers exposed to the Internet, but the CVS server is behind another
firewall, so it would be nice if I could put SSH on one of the exposed
servers and forward the traffic to the CVS box (I read something about that
being possible...), but it's not a requirement.

-Erin

-----Original Message-----
From: Glen Starrett
To: cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
Sent: 2/3/2004 9:00 PM
Subject: Re: [cvsnt] SSH

Erin Loy wrote:

>Hi All,
>
> >
>I'm fairly new to CVS, and could use some help on this one.   We need
to
>work collaboratively with contractors in India, and I need to get CVSNT
>working securely enough to expose a proprietary repository to them on
the
>Internet.  The documentation that I've used up to this point assumes a
lot
>about my knowledge of secure communications, and frankly I'm confused
at
>this point.  >
> >
>Where should I start?
>
>  >
Good question....  very vague and hard to answer though.  Are you on a
intranet (private link / VPN) to India, over the Internet, is encryption

required (if you already are using a VPN then the communication is
encrypted), etc.etc.

CVSNT supports a number of protocols, and most can be encrypted I believe.
You can tell the server to force encryption.  You can have source
verification (e.g. SSH or SSL), there might be a way to do client

verification (would gserver help with that??).

I don't have the answers, but I could lead you to more questions...  :)

--------------------
Glen Starrett

_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs
_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs
_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org cvsnt downloads at march-hare.com @CVSNT on Twitter CVSNT on Facebook
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs