Re: diffent machines, same environment?

(no name) ((no email))
Mon, 01 Nov 1999 14:02:59 -0600


We have generally used rsh here, but have recently begun using ssh out of
self-defense, at the cost of some unneeded encryption overhead (needed for the
password, but nothing else). We tend to prefer blowfish encryption, cause it's
less overhead, and specify -x to disable X11 forwarding, which is unnecessary
for a repository. This can all be done by interposing a script, pointed to by
the CVS_RSH variable.

We are soon moving to Kerberos authentication, so things will eventually look
like rsh again, but with K5 under the covers. This has the great advantage of
having no passwords floating around in the clear, and makes the access to
repositories straightforward. One need only add a principal's name to the
.k5login file, and not have to match users with originating machines.

We haven't been running cvs servers, but once we move to K5, we'll also add
pserver, for read-only access. I wouldn't use it for read-write due to
security concerns, unless you also use tcpwrappers to help control what hosts
are allowed in, modulo spoofing, of course.

Cheers,
Wayne

http://www-oss.fnal.gov/~baisley