[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PAM in cvs 1.11
Re: PAM in cvs 1.11
Thu, 07 Apr 2005 16:41:58 -0400
Mozilla Thunderbird 1.0 (Windows/20041206)
-----BEGIN PGP SIGNED MESSAGE-----
Yves Dorfsman wrote:
| I am on a site where they are changing the way the OS is
| authenticating users, moving away from NIS to LDAP. My
| understanding is that the only way to get CVS working in pserver
| mode in that case is to use PAM.
| PAM is supported in CVS 1.12, but this customer does not want to
| run a non-release version of a software.
|> From what I can see, it should be relatively easy to put the
|> piece that
| deals with PAM from 1.12 and put it in 1.11, and my next step is to
| try to do that (copying the relevant pieces in src/server from 1.12
| to 1.11). A few questions:
| 1) Has anybody else done this already (so that we don't waste our
| time re-inventing the wheel) ?
Not that I know of.
| 2) is there any reason why it shouldn't be attempted ?
Yes. I would avoid pserver and thus any authentication handled by the
CVS server if at all possible. CVS does not get thorough security
audits and pserver mode is extremely insecure for a number of known
reasons, regardless. You are much better off going with restricted
SSH shell access to the CVS server, enabling use of your local OS's
file system permissions as well. SSH should also already work with PAM.
If you cannot convince your customer that pserver access to a CVS
server is, if not *actually* the work of the devil, then pretty
similar, then, no, there is nothing inherently worse about PAM
installed in CVS 1.11 than PAM installed in CVS 1.12, once you've
already decided to ignore the potential for destabilization of the
| 3) If we do it and make it work, is there a chance to get that
| integrated in a future release of CVS 1.11 ?
Probably not. With any luck 1.12 will become stable in the next six
months to a year, anyhow.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----