bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM in cvs 1.11

From: Derek Price
Subject: Re: PAM in cvs 1.11
Date: Thu, 07 Apr 2005 16:41:58 -0400
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206) 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yves Dorfsman wrote:

| Hi,
|
| I am on a site where they are changing the way the OS is
| authenticating users, moving away from NIS to LDAP. My
| understanding is that the only way to get CVS working in pserver
| mode in that case is to use PAM.
|
| PAM is supported in CVS 1.12, but this customer does not want to
| run a non-release version of a software.
|
|> From what I can see, it should be relatively easy to put the
|> piece that
| deals with PAM from 1.12 and put it in 1.11, and my next step is to
| try to do that (copying the relevant pieces in src/server from 1.12
| to 1.11). A few questions:
|
| 1) Has anybody else done this already (so that we don't waste our
| time re-inventing the wheel) ?


Not that I know of.

| 2) is there any reason why it shouldn't be attempted ?


Yes.  I would avoid pserver and thus any authentication handled by the
CVS server if at all possible.  CVS does not get thorough security
audits and pserver mode is extremely insecure for a number of known
reasons, regardless.  You are much better off going with restricted
SSH shell access to the CVS server, enabling use of your local OS's
file system permissions as well.  SSH should also already work with PAM.

If you cannot convince your customer that pserver access to a CVS
server is, if not *actually* the work of the devil, then pretty
similar, then, no, there is nothing inherently worse about PAM
installed in CVS 1.11 than PAM installed in CVS 1.12, once you've
already decided to ignore the potential for destabilization of the
stable tree.

| 3) If we do it and make it work, is there a chance to get that
| integrated in a future release of CVS 1.11 ?


Probably not.  With any luck 1.12 will become stable in the next six
months to a year, anyhow.

Regards,

Derek
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCVZsVLD1OTBfyMaQRAlWSAKDwo3D9gxUVbJKY33sTVZB6JjsEawCfULRQ
36tPmXXKs0H0tr9npjitiJM=
=K5k8
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]