Re: PAM authentication patch - v2

[Derek Robert Price]

Matt Doar wrote:

> Correct. The functionality of the patch is *exactly* what I want. I'm
> really hoping Derek finds time to get it in. The extra functionality
> Derek mentioned would be nice, but I suspect it is not crucial for many
> sites.

I think some sites will find the cleartext password issue, at the least, 
crucial.  As is mentioned often on this list and in the CVS 
documentation, CVS stores password in almost clear text in ~/.cvspass 
and sends password across the network in cleartext by default.  Adding 
this PAM functionality is going to open some configuration possibilities 
for system administrators, which is nice, but it is also making it much 
easier for them to allow their user's system and possibly network-wide 
password to be compromised.

I was hoping to engender some discussion on these issues and perhaps 
come up with some ideas for how to get around them.  It's a can of worms 
I'm not sure I'm happy to be opening up, and why PAM support and other 
authentication methods have mostly been ignored by the CVS development 
team up to now in favor of things like SSH or tunneled pserver 
connections.  It's also why this feature is currently considered 
experimental until we get some feedback.

I'm not one to necessarily stop people from shooting themselves in the 
foot, but I do like to let them know when I hand them a gun.

I was also hoping the discussion and ideas that come out of this might 
encourage others to submit patches.  It is unlikely that I will have the 
time to handle all the PAM support myself and if this feature is going 
to move out of the experimental phase, it will need to be maintained.

Derek

--
               *8^)

Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
--
BREAKFAST.EXE exited with non-zero status: Cereal Port Not Responding.