[lug] VPN or SSH for cvs?

Rob Nagler nagler at bivio.biz
Fri Nov 23 15:15:25 MST 2001


> to bring it up. This is where I say I could accept pserver or ssh-agent
> if-and-only-if the route to the remote machine is itself guaranteed to
> require my intervention.

With ssh set to GatewayPorts=no (default), there's no routing on the
client side, i.e. you only can connect from localhost. If pserver is
set up with hosts.allow to be 127.0.0.1, there's no routing issue on
the server side.

> Yes, tunneling pserver would be good, if I can guarantee that my cvs
> requests will be forced to use the ssh or IPsec tunnel, and never ever
> ever (did I mention never?) send even one request along a general

If you're the belt-and-suspenders-type, set up iptables/chains to
disallow any 2401 (pserver) connections except via localhost (both
sides).  

My only concern is the password in .cvspass.  To me, it's an
acceptable risk.

Rob



More information about the LUG mailing list