On Tue, 16 Jul 2002, Mike Ayers wrote: > Helmut Mucker wrote: > > > Is there a way to access our corporate repository > > from the Internet? Our security policy prohibits > > direct connections from the Internet to the > > CVS-Server. > > ACK! Haven't they heard of ssh?
I'm sure they have; however, using ssh requires opening up a port from the DMZ to their internal network. In the minds of the super-paranoid, this introduces the risk of someone exploiting a security hole in ssh. I think that if you combine ssh with host-based access control, and ensure that you only allow crypto authentication, you really have nothing to worry about. In other words, open the ssh port only for packets that are coming from certain IP addresses or networks. > > Can it be done using a ssh-proxy in the DMZ > > or something else? > > It *can*... > > However, since the stock response you will get on this issue will be "use ssh, > that's what it's for", you may find that no prewritten proxy exists. I would > not expect one, certainly. What you can do is nest two ssh connections. You see, you can use ssh to tell one machine to execute a command on a third machine using ssh. ssh dmz-host 'ssh secure-host command' With ssh-agent forwarding, it should work. Anyway, it's worth investigating this ``proxy'' scheme. -- Meta-CVS: solid version control tool with directory structure versioning. http://users.footprints.net/~kaz/mcvs.html http://freshmeat.net/projects/mcvs _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs