From: Tommi Virtanen <tv@eagain.net>
To: "R. Tyler Ballance" <tyler@slide.com>
Cc: Thomas Koch <thomas@koch.ro>,
Git Mailing List <git@vger.kernel.org>,
dabe@ymc.ch
Subject: Re: is gitosis secure?
Date: Tue, 3 Feb 2009 13:41:43 -0800 [thread overview]
Message-ID: <20090203214143.GB1970@eagain.net> (raw)
In-Reply-To: <1228813620.18611.41.camel@starfruit.local>
On Tue, Dec 09, 2008 at 01:07:00AM -0800, R. Tyler Ballance wrote:
> Accounts set up with keys for Gitosis are given restricted accounts
> (from my understanding similar to how CVS or SVN operate over SSH
> tunnels).
I don't think I've ever seen a CVS used with "virtual"
restricted-shell accounts.
The svnserve --tunnel-user= support for that mode of operation was
written by me, and is basically exactly the same trick as the one used
by gitosis.
Before gitosis, I had my old SVN setup pretty much reproduced with
git, but then I got bored administering it and wrote gitosis to
automate account and access management.
I am not aware of anyone ever finding a way to get around an svnserve
--tunnel-user= setup. I'm not losing my sleep over the security of
this concept.
Use an SSH gateway if you want tighter control on who gets where,
network-wise. Then you won't get non-git login attempts from the
external net.
Or run an extra SSH service, e.g. using Conch. As long as it respects
~ssh and is interoperable with OpenSSH, gitosis should work just fine.
It can even run as the git user 100% of the time.
--
:(){ :|:&};:
next prev parent reply other threads:[~2009-02-03 21:43 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-09 8:56 is gitosis secure? Thomas Koch
2008-12-09 9:04 ` Sam Vilain
2009-01-18 11:48 ` Florian Weimer
2009-01-18 12:50 ` Boyd Stephen Smith Jr.
2009-01-18 13:25 ` Florian Weimer
2009-01-18 14:19 ` Boyd Stephen Smith Jr.
2009-02-03 21:31 ` Tommi Virtanen
2009-02-04 12:12 ` Stephen R. van den Berg
2009-02-04 18:26 ` Tommi Virtanen
2009-02-05 7:52 ` Stephen R. van den Berg
2009-02-05 8:04 ` Tommi Virtanen
2008-12-09 9:07 ` R. Tyler Ballance
2009-02-03 21:41 ` Tommi Virtanen [this message]
2008-12-09 9:38 ` Sverre Rabbelier
2008-12-13 16:23 ` Nix
2008-12-13 18:07 ` Sverre Rabbelier
2008-12-14 2:26 ` Sitaram Chamarty
2008-12-14 5:40 ` david
2008-12-14 9:42 ` martin
2008-12-14 11:25 ` david
2008-12-14 10:51 ` Jakub Narebski
2008-12-15 0:54 ` david
2008-12-14 11:02 ` martin
2008-12-15 1:00 ` david
2008-12-15 7:17 ` Mike Hommey
2008-12-15 8:25 ` david
2008-12-15 8:35 ` Mike Hommey
2008-12-15 21:28 ` Tait
2008-12-14 11:42 ` Sitaram Chamarty
2008-12-15 1:20 ` david
2008-12-14 10:40 ` Jakub Narebski
2008-12-15 0:50 ` david
2008-12-15 7:20 ` Rogan Dawes
2008-12-15 8:37 ` david
2008-12-15 7:52 ` Rogan Dawes
2008-12-14 10:47 ` Jakub Narebski
2008-12-15 0:14 ` Nix
2008-12-15 1:29 ` david
2008-12-15 5:24 ` Asheesh Laroia
2008-12-15 6:32 ` david
2008-12-09 19:18 ` Garry Dolley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090203214143.GB1970@eagain.net \
--to=tv@eagain.net \
--cc=dabe@ymc.ch \
--cc=git@vger.kernel.org \
--cc=thomas@koch.ro \
--cc=tyler@slide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.