bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM authentication patch - v2


From: Mark D. Baushke
Subject: Re: PAM authentication patch - v2
Date: Tue, 15 Apr 2003 19:16:38 -0700

Kevin Wang <address@hidden> writes:

> our environment: 
> 
> imap uses system password, and is typically 'remembered' by their email
> client (outlook), which we all know is trivially hashed in the registry.

My condolences. However, I would hope that you are at least using one of
the SSL versions of imap so that no password is going across your
network in the clear.

> cvs server is redhat

Okay.

> users are pretty much all on windows machines that primarilly support
> :pserver:.  I actually have no idea if rsh would work under windows.

I am given to understand that there are a number of different
implementations of rsh that work fine under windows, but you need to
have either the hosts.equiv setup properly or a .rhosts file for them
to work properly.

> rsh is actually not installed, so it'd have to be ssh.

I am not sure that follows given that you may need to deploy new
versions of cvs to every desktop if you provide hooks for PAM in it.
Installing an rsh is not that big a deal is it? (Clearly you don't
really care about security anyway, so rsh should not be a problem for
you.)

ssh would work (and would be my preference). It gives you the single
sign-on you want and there are ways to setup a .shosts file to allow
rsh-like host-based authentication if you really want it so that there
is no need to play with either ssh-agent or with keys that do not have
encrypted private keys.

Or you could install cygwin's 'inetutils' package which has an rsh that
should work too. There are a few other rsh.exe packages out on the net
that also exist, but I am not really a windows user, so I am not able to
give you any feedback on them.

> so it would be nice to tie into the existing /etc/passwd password system.
> most users already use the same password for mail and cvs. policy or not,
> that's what the users want to do; single sign-on.

To be honest, it sounds like your users would be happy with a :pserver:
connection that let them spew any arbitrary password they wanted in
order to login as they will apparently only ever type it into the 
cvs login command at most once in their entire lives. What am I missing?

btw: I hope none of them have wireless connections without strong VPN
crypto... could be a big security leak otherwise.

I doubt I can convince you of how evil it is to send passwords in the
clear for your :pserver: connections to cvs. I just shudder to think of
folks seeing that cvs support PAM and thinking for some reason that it
is not leaking their passwords in a large number of ways.

        Later,
        -- Mark




reply via email to

[Prev in Thread] Current Thread [Next in Thread]