[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Fw: need to force username of cvs 'action' when using shared SSHacco

From: Matthew Herrmann
Subject: RE: Fw: need to force username of cvs 'action' when using shared SSHaccount
Date: Mon, 3 May 2004 09:55:40 +1000

Hi Tim,

Ironically enough, exactly what you are asking for is pserver access.
Because the username can be fairly easily overridden in this method, it's
not considered secure (but in a normal work environment it's fine). The ssh
method of connecting is secure for the precise reason that secure is managed
outside cvs and it _won't_ let you get around it.

The only other suggestion is to add a commit-check which ensures that the
username is present in the commit message. You can set up a template which
commit messages must conform to, and then change the cvs editors on each
developer box so the pre-generated form comes up each time.

This is a hack, but I can't see how you can do what you're after otherwise.

Best Regards,

Matthew Herrmann
Far Edge Technology

-----Original Message-----
Date: Sun, 2 May 2004 11:33:46 -0400
From: "Tim Grotenhuis" <address@hidden>
Subject: Fw: need to force username of cvs 'action' when using shared
To: <address@hidden>
Message-ID: <address@hidden>
Content-Type: text/plain;       charset="iso-8859-1"

> >
> > Is there a reason why you can't use the old-fashioned strategem
> > of one account per developer ?

 My ISP won't give me additional accounts.

> > You can also use $HOME/.ssh/environment on the client side to tunnel
> > environment variables of your choice.  I've never tried it myself, I
> > just saw that in the ssh man page.  (Your developers would be able to
> > cheat, though.)  The trouble is, CVS doesn't look at the environment to
> > decide who's calling.

 My script that runs in the command="" option in the authorized_keys2 file
 runs successfully and I can control the input based on which key (ie, which
 developer) is used.  I am looking for the correct environmental variable
 that CVS WILL look at.

> >
> > > There HAS to be a way to force cvs to record the correct committer
> > > name.
> >
> > Why ?  Why would cvs extract that information from a source other than
> > its own euid ?

 I just can't imagine that this hasn't been required before: a single shell
account with a used id of, for example,  'cvsuser' requiring SSH, instead of
pserver, authentication and access for developers.  The nature of CVS, that
of tracking diffs and who did what when, seems to be compromised in this
situation.  Thats all.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]