From: Tommi Virtanen <tv@eagain.net>
To: "R. Tyler Ballance" <tyler@slide.com>
Cc: Thomas Koch <thomas@koch.ro>,
Git Mailing List <git@vger.kernel.org>,
dabe@ymc.ch
Subject: Re: is gitosis secure?
Date: Tue, 3 Feb 2009 13:41:43 -0800 [thread overview]
Message-ID: <20090203214143.GB1970@eagain.net> (raw)
In-Reply-To: <1228813620.18611.41.camel@starfruit.local>
On Tue, Dec 09, 2008 at 01:07:00AM -0800, R. Tyler Ballance wrote:
> Accounts set up with keys for Gitosis are given restricted accounts
> (from my understanding similar to how CVS or SVN operate over SSH
> tunnels).
I don't think I've ever seen a CVS used with "virtual"
restricted-shell accounts.
The svnserve --tunnel-user= support for that mode of operation was
written by me, and is basically exactly the same trick as the one used
by gitosis.
Before gitosis, I had my old SVN setup pretty much reproduced with
git, but then I got bored administering it and wrote gitosis to
automate account and access management.
I am not aware of anyone ever finding a way to get around an svnserve
--tunnel-user= setup. I'm not losing my sleep over the security of
this concept.
Use an SSH gateway if you want tighter control on who gets where,
network-wise. Then you won't get non-git login attempts from the
external net.
Or run an extra SSH service, e.g. using Conch. As long as it respects
~ssh and is interoperable with OpenSSH, gitosis should work just fine.
It can even run as the git user 100% of the time.
--
:(){ :|:&};:
next prev parent reply other threads:[~2009-02-03 21:43 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-09 8:56 is gitosis secure? Thomas Koch
2008-12-09 9:04 ` Sam Vilain
2009-01-18 11:48 ` Florian Weimer
2009-01-18 12:50 ` Boyd Stephen Smith Jr.
2009-01-18 13:25 ` Florian Weimer
2009-01-18 14:19 ` Boyd Stephen Smith Jr.
2009-02-03 21:31 ` Tommi Virtanen
2009-02-04 12:12 ` Stephen R. van den Berg
2009-02-04 18:26 ` Tommi Virtanen
2009-02-05 7:52 ` Stephen R. van den Berg
2009-02-05 8:04 ` Tommi Virtanen
2008-12-09 9:07 ` R. Tyler Ballance
2009-02-03 21:41 ` Tommi Virtanen [this message]
2008-12-09 9:38 ` Sverre Rabbelier
2008-12-13 16:23 ` Nix
2008-12-13 18:07 ` Sverre Rabbelier
2008-12-14 2:26 ` Sitaram Chamarty
2008-12-14 5:40 ` david
2008-12-14 9:42 ` martin
2008-12-14 11:25 ` david
2008-12-14 10:51 ` Jakub Narebski
2008-12-15 0:54 ` david
2008-12-14 11:02 ` martin
2008-12-15 1:00 ` david
2008-12-15 7:17 ` Mike Hommey
2008-12-15 8:25 ` david
2008-12-15 8:35 ` Mike Hommey
2008-12-15 21:28 ` Tait
2008-12-14 11:42 ` Sitaram Chamarty
2008-12-15 1:20 ` david
2008-12-14 10:40 ` Jakub Narebski
2008-12-15 0:50 ` david
2008-12-15 7:20 ` Rogan Dawes
2008-12-15 8:37 ` david
2008-12-15 7:52 ` Rogan Dawes
2008-12-14 10:47 ` Jakub Narebski
2008-12-15 0:14 ` Nix
2008-12-15 1:29 ` david
2008-12-15 5:24 ` Asheesh Laroia
2008-12-15 6:32 ` david
2008-12-09 19:18 ` Garry Dolley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090203214143.GB1970@eagain.net \
--to=tv@eagain.net \
--cc=dabe@ymc.ch \
--cc=git@vger.kernel.org \
--cc=thomas@koch.ro \
--cc=tyler@slide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).