Create accounts for ssh tunnels for all d.o CVS users?

Would ssh be feasible for all users in the first place?

Some use Windows, some use Linux some use Macs, some use GUIs, some use CVS embedded in IDEs, ...etc.

Are all of these guaranteed to work with ssh?

I believe the idea is to set it up in addition to normal pserver, so it doesn't have to be feasible for all users.

For people who 1) care about security enough to use an ssh tunnel and/or 2) insist on being able to get to cvs even when their firewall blocks them then Yes, it is easy on all of those platforms to create an ssh login/tunnel.

SSH would be quite handy for use with CVS, and is available on all platforms I am aware of. I also believe any IDE (of note...) has the ability to allow CVS over SSH. There are also plenty of apps available that will assist in getting SSH through proxies and firewalls.

good idea.

I'm afraid it really isn't feasible for a number of reasons:

First, account creation would be a headache if they were created on the box itself. From a management perspective they would have to be in our LDAP tree (central authentication). We could create an entire subtree for this, but the management overhead of this would get fairly high. The other option would be to create a chrooted environment that was outside of LDAP. We would then have to deal with managing/updating that chrooted system as well, which would be unfortunate.

Second and more importantly, having that many local account on a production box is a huge security issue and one we really arn't willing to deal with. They would clearly be very limited accounts, but at that point all it takes is a security vulnerability to get past the limitations and chroots arn't very difficult to break.

We agree that the security of pserver leaves a lot to be desired, but sadly ssh isn't really the way forward to fix that.