info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH configuration


From: Derek Robert Price
Subject: Re: SSH configuration
Date: Wed, 17 Nov 2004 14:21:03 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040616

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark D. Baushke wrote:

> jsWalter <address@hidden> writes:
>
> >>Paola Attadio writes:
> >>
> >>>Is possible use SSH with cvs users ($CVSROOT/CVSROOT/passwd)?
>
> >>Larry Gave us:
> >>
> >>No.
>
> >No?
>
>
> Correct.
>
> >No on ($CVSROOT/CVSROOT/passwd)?
>
>
> $CVSROOT/CVSROOT/passwd only applies with :pserver: access mode.
>
> >Or no CVS with SSH?
>
>
> CVS with :ext: and a CVS_RSH=ssh environment variable uses ssh as
> transport which uses the native host login method.
>
> CVS with :pserver: uses $CVSROOT/CVSROOT/passwd (or, optionally there is
> a way to configure 1.12.x to use PAM instead)


Actually, old versions of CVS and 1.12.x can also fall back on system
authentication (/etc/passwd or whatever the local getpwnam() happens
to use - NIS/PAM/whatever).  Of course, even aside from not
recommending :pserver: for any non-anonymous, non-sensitive connection
not behind a pretty secure firewall, I would strongly advise against
falling back on system. NIS, or PAM authentication via pserver since
pserver already sends almost-clear passwords across the network and
saves almost-clear passwords in user's home directories.

You can mitigate the risks of pserver password security (or lack
thereof) somewhat via SSH tunneled connections, but this doesn't solve
all the problems.

> It is possible that :ext: may some day be extended to allow the
> transport
> to be encoded as an option much as the :pserver;proxyport=<number>: may
> be encoded today in the cvs 1.12.x (feature) branch of cvs.


And this would be a fairly straightforward change if anyone new to CVS
(or otherwise) wanted to try their hand at hacking it and submitting a
patch.  Most of the offending code should be in the parse_cvsroot()
function in src/root.c and the bulk of the work was already done to
handle proxyport and its brethren.

Cheers,

Derek
- --
                *8^)

Email: address@hidden

Get CVS support at <http://ximbiot.com>!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBm6SeLD1OTBfyMaQRAgK3AKDmaPgRMagdEhk0847BgG0ZoWOpbACg0+/E
MUU12D/hKVS3LWJJRd4KOZs=
=2O3T
-----END PGP SIGNATURE-----





reply via email to

[Prev in Thread] Current Thread [Next in Thread]