martin f krafft wrote: > * Craig Dickson <[EMAIL PROTECTED]> [2001.11.27 10:28:10-0800]: > > But getting access to your CVS is okay? Might as well not bother securing > > it at all, then. > > uhm, hello? yes, it is necessary. with ssh, only those with the > identity file can get access to the cvs. without cvs, anyone willing > to password sniff can get access...
That was my point. If he's going to allow passwords to cross the net in clear, then having passwords isn't really securing anything. Accessing cvs in an ssh tunnel is the way to go. What Peter had said, that I was replying to, was that he didn't mind passwords going in clear as long as it was only cvs passwords, not shell login passwords. So my reaction was, if you're so unconcerned about cvs access, why bother putting passwords on it at all? The real point being not that it's okay to let the whole world have full access to your cvs, but that passwords should always be encrypted on the wire. Craig
