netbsd-help: CVS and security.

Subject: CVS and security.
To: None <netbsd-help@netbsd.org>
From: Richard Rauch <rkr@rkr.kcnet.com>
List: netbsd-help
Date: 02/05/2000 15:40:23
There is a small group project that I will be working on this spring (for
a class) which will involve about 3 or 4 people.  We'd like to use CVS,
and I've hesitantly offered to host the system.  (Well, I definitely
offered to look into setting up a CVS server.  That's where I am, right
now.)

The problem that I see is that (apparently) without Kerberos 5, CVS
doesn't make any real effort to encrypt, say, passwords.  Worse, the
cvs.info file says, I believe, that if anyone knows a password which
enables them to gain CVS write access, then they can run more or less
arbitrary programs on my system once I have CVS set up as a server.  
Thus, the cleartext passwords used for the sessions can be snooped and
used by a third party to gain access to my system.


Am I wrong?  Is there something in our package system that can help?  If I
install/build the security install sets for NetBSD 1.4, can I bluff with
our old Kerberos (Kerberos 4, I believe), and get something useful?


I thought that ssh/sshd might let me do it, but it doesn't seem to
directly support this kind of thing.  Am I missing something?  Or should I
use something like openssl or ssh-ip-tunnel?  (Or maybe openssh?)

Or is there no way to really do what I want, and I should just hope that
no one malicious manages to pick out the CVS passwords to attack my
machine?  (This may not be too safe, given the environment of at least one
of the people in question.)

I'd rather make better use of existing tools than install more stuff, but
most of all I'd rather have a system that's about as secure as my group
members are reliable.

(Hm...maybe I should think harder about getting a cheap second PC and set
it up as the CVS server, and also put it between the 'net and my ``real''
computer.  Or, as much as prices drop, maybe get a new ``real'' computer
and move everything but the CVS server to that system, leaving the
current system as my Internet connection...)

(ramble)


Thoughts, help, insight, and cheerleading all gratefully accepted.


  "I probably don't know what I'm talking about."  --rkr@rkr.kcnet.com