Date: Sat, 21 Jul 2001 17:51:46 +0200 From: Stefan Esser <se@freebsd.org> To: Warner Losh <imp@harmony.village.org> Cc: Matt Meola <mmeola@uswest.com>, ctm-announce@FreeBSD.ORG, Stefan Esser <se@freebsd.org> Subject: Re: Re: CTM mirrors Message-ID: <20010721175146.A33806@StefanEsser.FreeBSD.org> In-Reply-To: <200107201607.f6KG7bo66654@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2001-07-20 10:07 -0600, Warner Losh <imp@harmony.village.org> wrote: > And cvsup can't? I've run it through many different firewalls in the > past, over socks5 proxies and a couple of other strange > configurations. I'd be interested to hear how your environment is > different than mine that you can't run it. Sure, cvsup can ... But cvsup is a bi-directional data pipe, with the cvsup server playing an active role. I use cvsup at home (through a firewall), but can't do so at work, since it violates the firewall policy. The reason is, that cvsup provides not just a simple file download mechanism, but supports actions performed by the client on behalf of the cvsup server (execute keyword in control file or -e option required, according to the man page). This puts the cvsup protocol into the same class of application as a remote login (at least from the point of view of the firewall policy, which does not care whether the client is invoked with or without -e). The cvsup protocol suffers from the same problem as a word .doc file: It does not only transport data, but also arbitrary commands, which may or may not lead to bad effects on the client. This is not meant to imply, that I expect any of the FreeSD cvsup servers to attack me by means of the protocol. The company firewall policy strictly prohibits any such connection, even if initiated by the client. (The only solution that I see, is an encrypted and authenticated tunnel, e.g. via SSL with a server certificate issued by a special FreeBSD cvsup CA which is verified by the cvsup client.) Again: Don't tell me that I just should ensure, that cvsup is always invoked with -E (shell command execute OFF). The firewall doesn't know whether cvsup is used savely. It must expect it is not and zhus may not permit the protocol through! While I prefer cvsup at home, it's no option for my systems at work ... (And when I only had a ISDN line billed by connect time, cvsup was also not an option at home ... ;-) Cvsup through an authenticated and encrypted tunnel might be a solution. That would offer protection against connects to spoofed servers (but not to cvsup servers, that are owned by a cracker; but I guess I could accept that risk). Is there anybody, who is willing to set up SSL access to a cvsup server ? Regards, STefan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe ctm-announce" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010721175146.A33806>