[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Info-cvs] CSERVER extension to cvs [DRAFT]

From: Martin Vogt
Subject: [Info-cvs] CSERVER extension to cvs [DRAFT]
Date: Mon, 18 Sep 2000 13:54:15 +0200
User-agent: Mutt/1.2.5i


this mail describes some problems with the pserver implemention,
when used in larger companies and describes a (possible) solution.

pserver: the current  problem

The current pserver implementation has the major drawback
that it stores the password in clear text (more or less)
in you local homedirectory.
This is a potential security hole, if another user can read this
file he has at the same time the user password, which
mean the can log into a machine!

The usual solution for this is:
-You setup virtual cvs accounts. But this
 has another problem, because:
          i)   You must tell the user this CVS password
          ii)  The user must remeber the password

In larger companies you cannot force the user to do this.
Its inconvinient, for the system admin and for the users.

cserver: a solution

My idea to solve this problem is an extension to cvs,
a new protocol "cserver" the c stand for "cookie".
It should work like this:
The client sends the usual CSERVER VERIFICATION REQUEST
(when he does the first "login")
This time the users types as login his real Password which is
checked by the cserver. If this is ok, the Server sends
something like this:


This cookie is stored in the .cvspass and is now used

This solution has the advantage:

i)    Someone who can read .cvspass gets only cvs access
      and not the "full" login
ii)   The password is not stored in clear text
iii)  Users do not need a "special" CVS password for every CVS Repository


In the CVSROOT/passwd you have another entry, the
cookie. The cvsclient must check for the COOKIE:123456 part
and then writes it into the .cvspass.
I think this can be done very easily.

Any ideas?
What do you think?



reply via email to

[Prev in Thread] Current Thread [Next in Thread]