bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM authentication patch - v2


From: Derek Robert Price
Subject: Re: PAM authentication patch - v2
Date: Wed, 16 Apr 2003 10:01:21 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Brian Murphy wrote:

Mark D. Baushke wrote:

I guess that I really do not understand why :pserver: needs to use PAM
authentication. I am not saying there is not a reason, I just have not
understood it.


One good reason is that you want to use LDAP or NIS authentication but you dont want local shell users. Local shell users can do very stupid stuff like
remove parts of the repository which is not possible via pserver.


This is the kind of thing I am supporting this for. We're already allowing system passwords to be sent across the wire in the clear if that is what the adminstrator wants. We might as well go with one of the generic APIs which allows an administrator to configure where the password comes from. PAM seems to fall pretty well into the generic and well-accepted/supported category.

A note on the clear-text complaint, an SSH tunnel for the :pserver: connection isn't an uncommon configuration, which removes some of the problems Mark has been citing.

That does still leave room for improvement in the handling of the .cvspass file, but I think we should leave that for later and accept the PAM functionality. My only concern is future support of the code, but then, isn't that one of the things the experimental branch is there to test for?

Brian, your patch looked good, though I haven't attempted to install it yet, but it will still need manual (doc/cvs.texinfo) additions before it can be committed.

Derek

--
               *8^)

Email: address@hidden

Get CVS support at <http://ximbiot.com>!
--
Boy:  A noise with dirt on it






reply via email to

[Prev in Thread] Current Thread [Next in Thread]