To control access to the Perforce Server, you must prevent unauthorized users from gaining access to the server machine file system, the network on which it runs, and the Perforce Server itself. To control access, use the following:
- Perforce Server: User passwords and the protections table.
- Operating system: File system protections for depot and workspace directories.
- Network: User access and encryption.
The following are additional recommendations for maximizing server security.
Prevent all unauthorized access to the server machine
In particular, ensure that end users do not have access to the files in the Perforce Server root directory (configured using the P4ROOT environment variable).
Encrypt network traffic
Perforce server versions 2011.1 and earlier use an unencrypted (clear text) protocol to communicate between clients and the server. To encrypt Perforce data that is transported over your network (and especially over the Internet), use ssh or VPN software.
For details about configuring Perforce to use ssh through a firewall, please refer to these knowledge base articles:
Using Stunnel with Perforce: How to configure Perforce to communicate using SSL and the stunnel utility.
Setting Up Perforce Using Firewalls: Proper firewall configuration with Perforce servers.
Starting with Perforce server version 2012.2 you can configure the server to work with SSL natively. For more information, please refer to this article:
Enabling SSL Support for the Server/Broker/Proxy
Require Perforce passwords
The default server security level, which is zero, does not require users to have a password. To require user passwords, set the security level to 1 or higher. For details about setting security levels, see Chapter 3 of the Perforce System Administrator's Guide.
Require authentication and set session timeout
You can configure the server to require users to log into the Perforce server, to prevent passwords from being used and recorded in client files or system registries, To require login (using p4 login), set the server security level to 3. For details about passwords and tickets, see Chapter 3 of the Perforce System Administrator's Guide.
Control user access to the depot
The protections table enables you to control access to the depot for specified users and groups. You can control access based on IP address and depot path, and you can specify the level of access that is permitted (read, write, and so on). For details, see Chapter 4 of the Perforce System Administrator's Guide and the Perforce Command Reference entry for p4 protect.
Disable automatic creation of user accounts
By default the server creates new user accounts when a user with an unknown userID attempts to access it. Turn this functionality off. For details on doing so, see Chapter 3 of the Perforce System Administrator's Guide.