bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] One time password


From: Derek Robert Price
Subject: Re: [PATCH] One time password
Date: Tue, 19 Aug 2003 12:33:51 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark D. Baushke wrote:

|Hi Brian,
|
|I am somewhat ambivalent about your patch.
|
|It is not clear to me how shell scripts might be
|able to pass an appropriate one-time-password to
|cvs.


Well, they shouldn't be able to, really.  OTPs usually require a human
with a little device that they can punch the PAM prompt into and which
then supplies a new, use-once  password.

|Is this lack is why there is no sanity.sh
|infrastructure to deal with this new feature?
|
|If it is only possible to read from /dev/tty, then
|perhaps that fact also needs to be included in the
|documentation?


I think this is the way to go with it.

|For myself, I might like to see it possible to use
|something like the ssh-askpass program such as is
|used by OpenSSH when there is a need to ask the
|user for a password, but /dev/tty is not a
|controlling terminal device?


Ooh, I'm afraid of getting involved with GUI plugins at this point.  Do
you have an architecture in mind?

What sort of cases were you attempting to handle?  CVS wrapper scripts?
Individual users and sysadmins would still be free to set up SSH if they
prefer.

|I do understand the desire to get prompted by
|a one-time-password, but wonder if :ext: using
|"ssh" as a transport does not already solve this
|problem more efficiently?


Maybe, but despite my personal preference for SSH as well, some users
still find various reasons to object to this setup.

|I believe I would like to see either Derek or Larry
|give it a thumbs-up or down.


I probably shouldn't give it a thumbs-down yet, since I suggested the
patch in the first place.  :)

I'm open to discussion, but thought that given that we were adding PAM
support in the first place, it would be worthwhile to support OTP.  At
the least, it would enable sysadmins to sidestep the almost-clear-pass
security problem if they wish to.

Derek

- --
~                *8^)

Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
- --
HAMLET                  No, not I.
~  I never gave you aught.
OPHELIA
~  My honoured lord, you know right well you did,
~  And with them words of so sweet breath composed
~  As made the things more rich.  Their perfume lost,
~  Take these again.  For to the noble mind
~  Rich gifts wax poor when givers prove unkind.
~  There, my lord.

~     - Hamlet, Act III, Scene 1, Lines 96-102
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/QlFuLD1OTBfyMaQRAvukAKDfxROOsv7DVWHQ0n5mSuBlqbQD4QCg5LZa
CwLUCQTeqd9dbA8bAZ0lAvA=
=F4OB
-----END PGP SIGNATURE-----






reply via email to

[Prev in Thread] Current Thread [Next in Thread]