Re: [Cvs-dev] Re: cvs-passwd patch

[Mark D. Baushke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

P J P <address@hidden> writes:

> On Wed, 1 Nov 2006, Mark D. Baushke wrote:
> >>> But all commands that manipulate the repository should be able to
> >>> perform all of those manipulations regardless of connection method.
> >>
> >>    Yes, quite fair! But then, isn't it equally important that, all the
> >> *required* manipulations to the repository, be supported by a
> >> connection method?
> >
> > You asserting that it is required that a separate :pserver: connection
> > is required to authenticate the old password. This is an assertion I
> > reject.
> 
>    No! all I'm saying is, "authentication of old password is required,
> by any means". And also that, "a user, herself, should be able to
> change her (:pserver: or anyother) password, using normal cvs client".

Those requirements are not really compatible with the CVSNT protocol.

> > There is nothing stopping you from using the current server connection
> > to send a message from the client to the server with the old password
> > and ask if it matches. A mismatch should probably generate a log event
> > of a bad password exploration. Yes, this would require a new protocol
> > token and round-trip. However, it will probably be less expensive than
> > setting up a new :pserver: connection just to see if you can.
> 
>    Oh okay! You mean, I should send the *current* password along with
> the *new* one, to the server(in single connection) and then perform
> the check myself, right? That's fine with me, I'll do the changes.

In a single connection, yes. As a part of the "passwd" command, maybe
not or maybe not. It will probably need to be either another option to
the passwd command or a separate command transaction. Given that you
have passwd-e, you could leverage that to allow sending the old password
in a separate option if the server supports passwd-e and NOT send it if
it is not supported.

> Please let me know, if you've any more inputs about this.

Sure. The other constraint is that you may not violate the CVSNT passwd
defined protocol.

> >>> I think you have switched SystemAuth=yes for SystemAuth=no here.
> >>
> >>    I have?! I'm sorry!! I thought, SystemAuth=no means, cvs(:pserver:,
> >> :kserver:, etc) would make use of `CVSROOT/passwd' authentication,
> >> instead of `/etc/passwd'. And user can not change those credentials
> >> using cvs client, can she?
> >
> > At present, no CVS user is able to alter any credetials at all...
> 
>    Exactly that is the problem I faced. And I'm just trying to solve it.

Yes.

> > What protocol does CVSNT use to verify the current password today before
> > allowing the change?
> 
>    Well, they just directly prompt for the `New Password: ' then
> `Verify Password: ' followed by send_arg (typed_password);
> send_to_server ("passwd\n");
> 
>    They don't seem to verify it anywhere.

Exactly. So, if you are a CVS client talking with a CVSNT server, you
will be required do the same thing.

If you are a CVS server listening to a CVSNT client, then you will need
to accept the password change without a verification of the old password.

It may be desirable to add a configuration option to CVSROOT/config to
allow the CVS maintainer to disallow this situation, although I think
this would need more discussion by the CVS and CVSNT maintainers.

fwiw: I do not ever really trust the client to be secure. If the user is
able to make an authenticated connection, then it could have been anyone
at all who did it and the server really has no way to tell if the client
ever did the right thing or not.

So, I honestly don't think that there ever needs to be a verification of
the old password. You know that I have said the same thing more than
once in the past, so it should not be a surprise to you.

        -- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (FreeBSD)

iD8DBQFFSZ0oCg7APGsDnFERAq44AKCuDUmQGNuaNqMxhM+MElDB5asnCACg6Bu3
D7DOQB4707hErEtF0SfK5rg=
=cCdh
-----END PGP SIGNATURE-----