[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSH configuration
From: |
Derek Robert Price |
Subject: |
Re: SSH configuration |
Date: |
Wed, 17 Nov 2004 14:21:03 -0500 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040616 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark D. Baushke wrote:
> jsWalter <address@hidden> writes:
>
> >>Paola Attadio writes:
> >>
> >>>Is possible use SSH with cvs users ($CVSROOT/CVSROOT/passwd)?
>
> >>Larry Gave us:
> >>
> >>No.
>
> >No?
>
>
> Correct.
>
> >No on ($CVSROOT/CVSROOT/passwd)?
>
>
> $CVSROOT/CVSROOT/passwd only applies with :pserver: access mode.
>
> >Or no CVS with SSH?
>
>
> CVS with :ext: and a CVS_RSH=ssh environment variable uses ssh as
> transport which uses the native host login method.
>
> CVS with :pserver: uses $CVSROOT/CVSROOT/passwd (or, optionally there is
> a way to configure 1.12.x to use PAM instead)
Actually, old versions of CVS and 1.12.x can also fall back on system
authentication (/etc/passwd or whatever the local getpwnam() happens
to use - NIS/PAM/whatever). Of course, even aside from not
recommending :pserver: for any non-anonymous, non-sensitive connection
not behind a pretty secure firewall, I would strongly advise against
falling back on system. NIS, or PAM authentication via pserver since
pserver already sends almost-clear passwords across the network and
saves almost-clear passwords in user's home directories.
You can mitigate the risks of pserver password security (or lack
thereof) somewhat via SSH tunneled connections, but this doesn't solve
all the problems.
> It is possible that :ext: may some day be extended to allow the
> transport
> to be encoded as an option much as the :pserver;proxyport=<number>: may
> be encoded today in the cvs 1.12.x (feature) branch of cvs.
And this would be a fairly straightforward change if anyone new to CVS
(or otherwise) wanted to try their hand at hacking it and submitting a
patch. Most of the offending code should be in the parse_cvsroot()
function in src/root.c and the bulk of the work was already done to
handle proxyport and its brethren.
Cheers,
Derek
- --
*8^)
Email: address@hidden
Get CVS support at <http://ximbiot.com>!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBm6SeLD1OTBfyMaQRAgK3AKDmaPgRMagdEhk0847BgG0ZoWOpbACg0+/E
MUU12D/hKVS3LWJJRd4KOZs=
=2O3T
-----END PGP SIGNATURE-----