[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Push ?

From: Les Mikesell <lesmikesell_at_gmail.com>
Date: Tue, 17 Sep 2013 10:14:58 -0500

On Tue, Sep 17, 2013 at 7:11 AM, Nico Kadel-Garcia <nkadel_at_gmail.com> wrote:
>>>
>> There is always the trick of ssh-ing a command from inside the
>> firewall to the DMZ box that (a) sets up port-forwarding and (b) runs
>> the svn command as though the repo is on localhost. Technically, and
>> from the firewall's point of view, the connection is established
>> outbound.
>
>
> This is also a firing offense in many environments.

Yes, I can understand institutions and security policies that blindly
outlaw tunnels, but note that in this case it goes the 'right'
direction.- that is the control and connection comes from the 'more
secure' side and the tunnel is just because the program that needs to
run won't make its own connection in the direction you need.

> I once had a chief
> developer, with various root SSH key access, running just such tunnels to
> and from his home machine, tunnels that I happened to notice. He was also
> using non-passphrase protected SSH keys, and had *built* the previous
> version of Subversion in use at that company. Given the secure data he had
> access to this way, from offsite, it caused a serous scandal behind closed
> doors, (And I replaced that Subversion with a source controlled one, owned
> by "root", instead of the one owned by him individually!)

First, it is kind of foolish to assume that anyone with an
unrestricted ssh login doesn't have complete access to all the data
that account can read (or reach from either side of the connection),
but also note that this is the opposite case, where the connection
origin and tunnel destination are on the 'less secure' side and the
controlling keys are also outside.

-- 
   Les Mikesell
     lesmikesell_at_gmail.com
Received on 2013-09-17 17:15:46 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.