[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM authentication patch - v2

From: Derek Robert Price
Subject: Re: PAM authentication patch - v2
Date: Wed, 16 Apr 2003 13:01:05 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Brian Murphy wrote:

Derek Robert Price wrote:

Brian, your patch looked good, though I haven't attempted to install it yet, but it will still need manual (doc/cvs.texinfo) additions before it can be committed.

How is this?

Now that I'm thinking about it, how about installing a default /etc/pam.d/cvs file which duplicates the old system password behavior when CVS is compiled to use PAM?

Index: doc/cvs.texinfo
RCS file: /cvs/cvs/doc/cvs.texinfo,v
retrieving revision
retrieving revision 1.3
diff -u -r1.1.1.2 -r1.3
--- doc/cvs.texinfo     13 Apr 2003 20:34:16 -0000
+++ doc/cvs.texinfo     16 Apr 2003 16:25:45 -0000      1.3
@@ -2489,13 +2489,41 @@
the username and password using the operating system's
user-lookup routines (this "fallback" behavior can be
disabled by setting @code{SystemAuth=no} in the
-@sc{cvs} @file{config} file, @pxref{config}).  Be
-aware, however, that falling back to system
+@sc{cvs} @file{config} file, @pxref{config}).
+The default fallback behaviour is to look in +@file{/etc/passwd} for this system password but if your
+system has PAM - Pluggable Authentication Modules - then

...and CVS is configured to use it at compile time...

+cvs will use that instead. This means that with a +global configuration file usually @file{/etc/pam.conf}
+or possibly @file{/etc/pam.d/cvs}
+you can tell cvs to use LDAP or normal UNIX passwd +authentication or many other possibilities - see your +PAM documentation for details. CVS needs an "auth" +and "account" module in the PAM configuration file. +Using PAM gives the system administrator much more +flexibility in how cvs users are authenticated but +no more security than other methods, see below.
+Be aware, however, that falling back to system
authentication might be a security risk: @sc{cvs}
operations would then be authenticated with that user's
regular login password, and the password flies across
the network in plaintext.  See @ref{Password
authentication security} for more on this.
+This may be more of a problem with PAM authentication
+because it is likely that the source of the system +password is some central authentication service like
+LDAP which is also used to authenticate other services.
+On the other hand PAM makes it very easy to change +your password regularly - this is impossible to do +for a user authenticated via cvs' private password file +without total access to the @file{CVSROOT/passwd} file +, i.e. the user needs all rights to the repository to +allow password change which in my experience means +the password never gets changed, see below. Users are
+much more willing to change their password regularly
+if they only have to remember one.
Right now, the only way to put a password in the
@sc{cvs} @file{passwd} file is to paste it there from

At that, typical contents (/etc/passwd authenticating) for /etc/pam.d/cvs should be listed in the manual like we do for inetd.



Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
I did not see Elvis.
I did not see Elvis.
I did not see Elvis...

         - Bart Simpson on chalkboard, _The Simpsons_

reply via email to

[Prev in Thread] Current Thread [Next in Thread]