Re: Accessing the repository via Internet
Helmut Mucker wrote: Is there a way to access our corporate repository from the Internet? Our security policy prohibits direct connections from the Internet to the CVS-Server. ACK! Haven't they heard of ssh? Can it be done using a ssh-proxy in the DMZ or something else? It *can*... However, since the stock response you will get on this issue will be use ssh, that's what it's for, you may find that no prewritten proxy exists. I would not expect one, certainly. /|/|ike P.S. Other responses, if they arrive, will probably be more authoritative than mine. :-) ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: Accessing the repository via Internet
On Tue, 16 Jul 2002, Mike Ayers wrote: Helmut Mucker wrote: Is there a way to access our corporate repository from the Internet? Our security policy prohibits direct connections from the Internet to the CVS-Server. ACK! Haven't they heard of ssh? I'm sure they have; however, using ssh requires opening up a port from the DMZ to their internal network. In the minds of the super-paranoid, this introduces the risk of someone exploiting a security hole in ssh. I think that if you combine ssh with host-based access control, and ensure that you only allow crypto authentication, you really have nothing to worry about. In other words, open the ssh port only for packets that are coming from certain IP addresses or networks. Can it be done using a ssh-proxy in the DMZ or something else? It *can*... However, since the stock response you will get on this issue will be use ssh, that's what it's for, you may find that no prewritten proxy exists. I would not expect one, certainly. What you can do is nest two ssh connections. You see, you can use ssh to tell one machine to execute a command on a third machine using ssh. ssh dmz-host 'ssh secure-host command' With ssh-agent forwarding, it should work. Anyway, it's worth investigating this ``proxy'' scheme. -- Meta-CVS: solid version control tool with directory structure versioning. http://users.footprints.net/~kaz/mcvs.html http://freshmeat.net/projects/mcvs ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: Accessing the repository via Internet
This has gone rather OT, but... Kaz Kylheku wrote: I'm sure they have; however, using ssh requires opening up a port from the DMZ to their internal network. In the minds of the super-paranoid, this introduces the risk of someone exploiting a security hole in ssh. Paranoia is good, uninformed paranoia is bad. I'll take one good secured authentication over two bad ones and a slap-together gateway. There's much less likely to be a security hole in ssh (open source, constantly reviewed code), than there is in whatever proxy gets written. I think that if you combine ssh with host-based access control, and ensure that you only allow crypto authentication, you really have nothing to worry about. ssh doesn't have unauthenticated or unencrypted modes, which is one thing that makes it really popular with the security conscious. Host based access control, on the other hand, is easily enough defeated to not be worth doing. In any case, with strong encryption and authentication (if it must be, then use password strength checkers), what bonus does host based access control give? What you can do is nest two ssh connections. You see, you can use ssh to tell one machine to execute a command on a third machine using ssh. ssh dmz-host 'ssh secure-host command' With ssh-agent forwarding, it should work. Anyway, it's worth investigating this ``proxy'' scheme. This will work if the DMZ machine permits logins and supports ssh. It is a good way to do things if the no direct connections from the internet rule is unwaivable. /|/|ike ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs