[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: System password authentication
|
From: |
Larry Jones |
|
Subject: |
Re: System password authentication |
|
Date: |
Mon, 14 Apr 2003 17:08:45 -0400 (EDT) |
Brian Murphy writes:
>
> The code I commented on here is in the 1.11.5 release. The current
> development
> (and experimental) code is even more confusing.
How so? The code has not changed much, mostly just some rearrangement
(which was intended to make it clearer, not more confusing) and the
addition of some more calls to syslog() to assist in problem
determination when people are having trouble logging in.
> The check for a null
> "password"
> is moot at this point because it has already been passed to at least one
> function which
> has passed it to crypt (without checking for nullness).
Yes, that check should be chalked up to rampant (if not errant)
paranoia.
> I think code that
> impliments security should be very simple - this code is not.
I agree that the code should be as simple as possible, but I don't think
you can make it much simpler without changing CVS's authorization
scheme. In theory, I agree with Gregg Woods that CVS shouldn't be in
the authentication business at all, but given that it already is, I'm
not inclined to remove it since there are valid uses (although only on a
reasonably secure intranet with trusted users). You are, of course,
welcome to submit a patch if you think you can do better.
-Larry Jones
Even my FRIENDS don't do what I want. -- Calvin