Re: identifying user at commit time

[Todd Denniston]

address@hidden wrote, On 09/26/2007 02:08 AM:
> On 25 Set, 22:01, Todd Denniston <address@hidden>
> wrote:
> > As you use CVSNT you might get answers, we don't know about, by using their
> > mailing lists:http://www.cvsnt.org/
> > newsgroup:http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
> > or
> > news://news.cvsnt.org/support.cvsnt
>
> I thougth it was a general CVS related question, not specific of the
> system in use (the communication protocol and sytax seemed to me to be
> the same...), so I hoped to find answer here, too. Anyway I will try
> also there! :-)

It almost is, but I know cvsnt has some "special for windows" connection 
methods, of which I know almost nothing about.

> > > Questions:
> > > - is it possible to specify an user name (and password) at commit
> > > time, regardless of the username that has been used to checkout the
> > > module?
> > Sort of.
> > You did not specify your connection method
>
> pserver for the moment, just becouse I had some problem configuring
> ssh access on the windows server...

Maybe these will help:
http://ximbiot.com/cvs/wiki/index.php?title=CVS_FAQ#How_do_I_set_up_a_CVS_server_for_access_via_SSH.3F
http://ximbiot.com/cvs/wiki/index.php?title=CVS_FAQ#How_do_I_set_up_a_CVS_server_for_access_via_ext_or_pserver_on_Windows
The link to the http://www.cvsnt.com/wiki seems broken right now for some 
reason, perhaps it should be http://www.cvsnt.org/wiki.


> > nor if you could have more than one
> > user on the server
>
> yes, I can configure as amany users I want... and I dont'n need
> hundreds! :-)
>
> > so I assume any connection method can be used and you can
> > put users on the server.
>
> Perfect
>
> > 1) If you can use ssh access, the user name on the server does not have to
> > match the user on the client end, setup ssh(putty)/cvs to make it's
> > connections with user name set to the appropriate value.
> >
> > 2) Although pserver has security issues (read the list for details if you want
> > them), I believe it can be setup with "virtual" cvs users, i.e., user names
> > cvs knows about instead of the system.  I am not sure but I suspect it will
> > use those user names in the logs instead of the generic user it is running
> > under. I  don't know if pserver will work with a windows (CVSNT) server.
> >
> > > - do you know any client that could be configured to ask for this at
> > > each committ operation? or should each users learn command-line usage
> > > of cvs?
> > NO.
> >
> > > - in case the solution I proposed is not feasible, do you have any
> > > suggestion/workaround/trick to track who made some change to a file
> > > even if it has been done on a common machine under a common account?
> > I think you should be able to setup individual user accounts on the server and
> > connect using ssh, in this way the users can specify their user name and be
> > required to prove it with the correct authentication data (password or key).
>
> If I correctly understood, you are telling me that:
> - yes, I can perform commit operations with an user name different
> from that used to check-out the module (so a can change username for
> each commit operation)

It can be done easily with ssh, as you configure your ssh client to use what 
ever user name is valid for the current user, i.e. in putty I would see a list 
of machines to connect to (looking like user1ToServer, user2ToServer...) and I 
would pick my username from the list, CVS would then just use the ssh that was 
setup.

with PSERVER, IIRC, your username gets embedded in each sandbox directory's 
CVS/Root file on checkout and thus is more difficult to change the username, 
i.e., each CVS/Root file would have to be modified each time a different user 
wanted to do a CVS command.
If the users don't have to share the same _physical_ sandbox, which in most 
cases they don't, then each one could do a pserver checkout as themselves on 
the client machine and then always use their own physical sandbox to do work, 
they should not have too many problems. One slight problem with this method 
and _your_ setup, is that IIRC using the pserver protocol cvs||cvsnt will 
cache your password in a well known location, so the users will need to do 
"cvs login" and "cvs logout" at the beginning and end of their work times so 
that no one else can trivially impersonate them (of course you should have a 
big stick if someone does that anyway).

There is one other method I just remembered that could be used, but I expect 
it will be harder to implement, and is dead trivial to spoof.
use CVSROOT/rcsinfo and CVSROOT/verifymsg to force folks to put _A_ known 
username in a particular line of the commit comment.  Of course this method 
relies on, carrot and stick, behavior modification to work.


> - I should be able to do that by command line simply specifyng the
> username at commit time. Implementation details depend on connection
> method

Unfortunately not on the command line, but "Implementation details [do] depend 
on connection method".


> - you don't know any "graphical" client that can be configured to ask
> for an user name at each commit operation

Putty sort of does, the "machine to connect to" list, and then any cvs client 
software using the connection will use the "right" username.


--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter