RE: security question
Password-protected keys help protect them against theft. I would encourage everyone to use such keys. Or did I misunderstand your post? Are you talking about ssh-agent, or passphrase-based ssh keys, or an external layer of encryption on the keyfiles, or what? Please be specific. ssh-agent, for instance, would be a bit more secure, as long as you're sitting down at the console of one SSH-equipped workstation, and don't mind taking a minute to systematically startup ssh-agent connections to each host with which you plan to communicate during that session. My biggest problem with any of these approaches, besides the inconvenience, is they eliminate the opportunity for secure, automated batch processes. I have various cron jobs that fire off automatically, connect to different servers, do reports/extracts/whatever, and so on. For that, AFAIK, you need to store your keys in the filesystem. Correct me if I'm wrong, but as long as your private key is chmod 600, the only way it will be compromised is if your local workstation gets rooted. If that happens, ssh-agent itself can be quickly trojaned with a compromised copy that collects passwords. Likewise, if you're just using passphrase-encrypted keys, ssh and cvs themselves are both compromised on a rooted box...so what's the difference? Or am I missing something? Thanks...this is more interesting than listening in on pserver discussions :-) ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: security question
Zieg, Mark wrote: My biggest problem with any of these approaches, besides the inconvenience, is they eliminate the opportunity for secure, automated batch processes. I have various cron jobs that fire off automatically, connect to different servers, do reports/extracts/whatever, and so on. For that, AFAIK, you need to store your keys in the filesystem. Correct me if I'm wrong, but as long as your private key is chmod 600, the only way it will be compromised is if your local workstation gets rooted. If that happens, ssh-agent itself can be quickly trojaned with a compromised copy that collects passwords. Likewise, if you're just using passphrase-encrypted keys, ssh and cvs themselves are both compromised on a rooted box...so what's the difference? Or am I missing something? There's a tool called keychain [1] that acts as a frontend to ssh-add and ssh-agent. It will allow one to use password encrypted keys in crons as you suggest, and eliminates the hassle of adding your keys to your agent every session. YMMV. [1]: http://www.gentoo.org/proj/en/keychain.xml that -- Scott Moynes Canadian Bank Note Co. Ltd. [EMAIL PROTECTED] (613) 225-3018 x2272 ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
RE: security question
--- Zieg, Mark [EMAIL PROTECTED] wrote: Password-protected keys help protect them against theft. I would encourage everyone to use such keys. Or did I misunderstand your post? Are you talking about ssh-agent, or passphrase-based ssh keys, or an external layer of encryption on the keyfiles, or what? Please be specific. I previously posted saying that SSH keys should be password-protected and that if they were, one can run ssh-agent so that one needn't type in the password each time, or type in the password for each use. ssh-agent, for instance, would be a bit more secure, as long as you're sitting down at the console of one SSH-equipped workstation, and don't mind taking a minute to systematically startup ssh-agent connections to each host with which you plan to communicate during that session. In the past, I had set up my system to start up ssh-agent upon first login. It wasn't such a big deal. My biggest problem with any of these approaches, besides the inconvenience, is they eliminate the opportunity for secure, automated batch processes. I don't see how. So long as there's an already-running ssh-agent, a batch process can use it. True, if the machine were rebooted, there'd be no automated way to recover, but hey, that's the price for more security. I have various cron jobs that fire off automatically, connect to different servers, do reports/extracts/whatever, and so on. For that, AFAIK, you need to store your keys in the filesystem. AFAIK, the keys need to be stored on the filesystem in any SSH setup. If you meant that the keys can't be password-protected, like I said, just have ssh-agent running in the background (then have your cron job 'ps' to get the ssh-agent PID). Correct me if I'm wrong, but as long as your private key is chmod 600, the only way it will be compromised is if your local workstation gets rooted. Maybe. One question I've had in the past is whether keys should be backed up or not. If they are, there's now at least one copy of them. I believe this increases the chances (even minutely) of them falling into the wrong hands. In the end, if you haven't done a complete security audit of the entire backup procedures, you can't trust them to be secure. If that happens, ssh-agent itself can be quickly trojaned with a compromised copy that collects passwords. This is one reason why I'd like trusted OS's (eg no one user, including root, is all-powerful) to take off faster but that's another topic. Likewise, if you're just using passphrase-encrypted keys, ssh and cvs themselves are both compromised on a rooted box...so what's the difference? Or am I missing something? If you're assuming that the only compromise possible for keys is a root compromise then you are correct. How sure are you that that's the only compromise? Thanks...this is more interesting than listening in on pserver discussions :-) I agree :-) Noel __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: security question
One other problem with pserver is that passwords are stored in the clear on the users' home directories. At least with SSH, the keys can be encrypted using a password that the user enters either upon login or on a per-use basis. Noel --- Steven Tryon [EMAIL PROTECTED] wrote: We run pserver on a machine behind a firewall and access with redirected ports with ssh. Someone posted on this list a cookbook ssh command to do so... ssh [EMAIL PROTECTED] -L 2401:host.whatever.com:2401 Then set your CVSROOT to point to localhost. Works. Steve On Thu, 2002-12-12 at 10:51, Phil R Lawrence wrote: I saw in the docs how to set up pserver and how it can manage read-write permissions. But I won't run a server without encryption. -- Steven Tryon, ciber @ Xerox Webmaster, Xerox Global Service Net 8*227-1898 / 585-427-1898 ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
RE: security question
One other problem with pserver is that passwords are stored in the clear on the users' home directories. At least with SSH, the keys can be encrypted using a password that the user enters either upon login or on a per-use basis. Actually, if you setup your ssh keys correctly (ssh-keygen -t dsa), then you never have to enter your password at all. ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: security question
Steven Tryon wrote: On Thu, 2002-12-12 at 10:51, Phil R Lawrence wrote: I saw in the docs how to set up pserver and how it can manage read-write permissions. But I won't run a server without encryption. We run pserver on a machine behind a firewall and access with redirected ports with ssh. Someone posted on this list a cookbook ssh command to do so... ssh [EMAIL PROTECTED] -L 2401:host.whatever.com:2401 Then set your CVSROOT to point to localhost. OK. I can follow the cookbook above for client access from windows and linux, but how can I establish that same mapping for developers when they are already logged onto the machine with the repository? i.e., how can a developer on localhost log into the pserver using SSH? Phil PS: Does this look right? /etc/passwd: lskywalk:x:600:600:Luke Skywalker:/home/lskywalk:/bin/bash cvs-lsky:x:601:601:Luke Skywalker:/home/usr/local/cvs:/bin/false askywalk:x:600:600:Anakin Skywalker:/home/askywalk:/bin/bash cvs-asky:x:601:601:Anakin Skywalker:/home/usr/local/cvs:/bin/false /etc/group: cvs-fooproj:x:600:cvs-lsky cvs-barproj:x:600:cvs-lsky,cvs-asky CVSROOT/passwd: lskywalk:nn:cvs-lsky askywalk:nn:cvs-asky THEN: # chgrp -R cvs-fooproj /usr/local/cvs/fooproj # chmod g+srwx /usr/local/cvs/fooproj # chmod o+rx /usr/local/cvs/fooproj # chmod o-w /usr/local/cvs/fooproj ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
RE: security question
--- Zieg, Mark [EMAIL PROTECTED] wrote: One other problem with pserver is that passwords are stored in the clear on the users' home directories. At least with SSH, the keys can be encrypted using a password that the user enters either upon login or on a per-use basis. Actually, if you setup your ssh keys correctly (ssh-keygen -t dsa), then you never have to enter your password at all. Password-protected keys help protect them against theft. I would encourage everyone to use such keys. Or did I misunderstand your post? Noel __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: security question
--- Phil R Lawrence [EMAIL PROTECTED] wrote: OK, I've settled on either importing our entire ERP source with -kb or writing a script to traverse the sourcetree and check in the files intelligently as either binary or text. (anyone already have a script that does this?) Now, about security. We would be a multi-client shop, so I need SSH to encrypt sign-on info. Also, to make auditors very happy, we need to grant and deny write security to various projects in the repository. I saw in the docs how to set up pserver and how it can manage read-write permissions. But I won't run a server without encryption. How can I have SSH *and* locked down projects *and* locked down CVSROOT dir? Security is very important. Don't use pserver if security is very important. IMHO, pserver is meant to be convenient, not secure. I believe there's an item in the FAQ on setting up SSH. There should also be a FAQ item on using file system ACLs. Alternatively, you might consider creating separate repositories rather than one repository. Noel __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: security question
Phil R Lawrence writes: I saw in the docs how to set up pserver and how it can manage read-write permissions. But I won't run a server without encryption. How can I have SSH *and* locked down projects *and* locked down CVSROOT dir? Forget pserver, use SSH with individual system accounts. Then you can use normal permissions to control access to directories within the repository. People need read access to a directory in order to do anything at all with it and write access to a directory to modify the files in it (commit changes, add tags, etc.). If you plan to allow read-only users, you'll need to set LockDir= in CVSROOT/config to a world-writable directory where CVS can put the lock files. -Larry Jones I always send Grandma a thank-you note right away. ...Ever since she sent me that empty box with the sarcastic note saying she was just checking to see if the Postal Service was still working. -- Calvin ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: security question
At 10:51 AM 12/12/2002, Phil R Lawrence wrote: Now, about security. We would be a multi-client shop, so I need SSH to encrypt sign-on info. Also, to make auditors very happy, we need to grant and deny write security to various projects in the repository. We are a multi-client shop, too. We use a combination of group membership explained in http://www.cvshome.org/docs/manual/cvs_2.html#SEC13 and completely separate repository roots. A loginfo script runs to insure that permissions are correct after every commit. Every commercial client gets their very own separate repository. Government unclassified clients may or may not share modules within a repository depending on the nature of the projects. Our own proprietary software has its own set of repositories. We use multiple repositories to make it easier to audit where things came from. It's also easier to archive all of the software that goes with a single client when all of the software is under a CVSROOT unique to that client. Fred ___ Frederic W. Brehm, Sarnoff Corporation, http://www.sarnoff.com/ ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
RE: security question
Phil R Lawrence wrote: How can I have SSH *and* locked down projects *and* locked down CVSROOT dir? Security is very important. I had actually planned to make CVS available via the web to some people, so I tried to find a secure way of doing so. Instead of using pserver, I followed the instructions by Pascal Burguignon[1] and installed a chrooted, statically linked CVS server. As every project's CVSROOT gets its own chroot jail and access is handled by ssh PubKeyAuthentication this should be pretty secure. Using the scripts P. Brurguignon provides, a CVS server can be set up pretty quick, at least if you're using Linux. I gave up on Solaris because I was not able to statically link CVS (Sun does provide at least one library, iirc -lxnet, only as .so). Someone with more time and more experience in setting up chroots might have managed it anyway by linking this one library dynamically and putting it into the chroot (Btw, if someone did, I'd be grateful for any hints and tipps). PS - are there any windows and linux clients that particularly shine with SSH? Newer versions of WinCVS _work_ with SSH (and the setup described above) but I wouldn't quite call it shining. I use it with pageant (from the putty packet) for PubKeyAuthentication. HTH, Mark Neis [1] http://informatimago.free.fr/i/linux/chrooted-ssh-cvs.en.html ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: security question
PS - are there any windows and linux clients that particularly shine with SSH? TortoiseCVS on Windows (http://www.tortoisecvs.org/) works very well with ssh. They distribute a customized version of plink from the PuTTy suite. HTH Geoff ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: security question
We run pserver on a machine behind a firewall and access with redirected ports with ssh. Someone posted on this list a cookbook ssh command to do so... ssh [EMAIL PROTECTED] -L 2401:host.whatever.com:2401 Then set your CVSROOT to point to localhost. Works. Steve On Thu, 2002-12-12 at 10:51, Phil R Lawrence wrote: I saw in the docs how to set up pserver and how it can manage read-write permissions. But I won't run a server without encryption. -- Steven Tryon, ciber @ Xerox Webmaster, Xerox Global Service Net 8*227-1898 / 585-427-1898 ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs