On Thu, Aug 29, 2002 at 10:18:25PM -0700, Justin Erenkrantz wrote:
>
> Steps:
> ssh -L 8888:127.0.0.1:8888 authorized-user@ssh-only-server
> svn co http://localhost:8888/
>
My problem with this approach (other than the hassle of remembering
to set up the tunnel in advance) is that SSH's local sockets do
ZERO authentication. Any bozo with an account on the local host
would have unrestricted access to the remote repo. Additionally,
if SSH is configured to accept connections on non-loopback interfaces
(which is common, even if unadvisable), any bozo with network access
to the local host would have unrestricted access to the remote repo.
Even if the local machine is a home computer, and you're the only
user, you're probably weakening the overall security of the system.
Your home computer is probably more vulnerable than the ones at work
that are specially hardened and protected by multimillion-dollar
firewalls, etc.
>
> This is exactly why no one has really had the impetus to finish
> ra_pipe - it just isn't needed. A little creativity is all that
> is required. Note that you can still mount the repos via WebDAV if
> you wanted to.
That's right, but the concerns above are why I've made an effort
to make ra_pipe work.
--ben
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Aug 30 15:01:07 2002