[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSH configuration
Derek Robert Price
Re: SSH configuration
Wed, 17 Nov 2004 14:21:03 -0500
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040616
-----BEGIN PGP SIGNED MESSAGE-----
Mark D. Baushke wrote:
> jsWalter <address@hidden> writes:
> >>Paola Attadio writes:
> >>>Is possible use SSH with cvs users ($CVSROOT/CVSROOT/passwd)?
> >>Larry Gave us:
> >No on ($CVSROOT/CVSROOT/passwd)?
> $CVSROOT/CVSROOT/passwd only applies with :pserver: access mode.
> >Or no CVS with SSH?
> CVS with :ext: and a CVS_RSH=ssh environment variable uses ssh as
> transport which uses the native host login method.
> CVS with :pserver: uses $CVSROOT/CVSROOT/passwd (or, optionally there is
> a way to configure 1.12.x to use PAM instead)
Actually, old versions of CVS and 1.12.x can also fall back on system
authentication (/etc/passwd or whatever the local getpwnam() happens
to use - NIS/PAM/whatever). Of course, even aside from not
recommending :pserver: for any non-anonymous, non-sensitive connection
not behind a pretty secure firewall, I would strongly advise against
falling back on system. NIS, or PAM authentication via pserver since
pserver already sends almost-clear passwords across the network and
saves almost-clear passwords in user's home directories.
You can mitigate the risks of pserver password security (or lack
thereof) somewhat via SSH tunneled connections, but this doesn't solve
all the problems.
> It is possible that :ext: may some day be extended to allow the
> to be encoded as an option much as the :pserver;proxyport=<number>: may
> be encoded today in the cvs 1.12.x (feature) branch of cvs.
And this would be a fairly straightforward change if anyone new to CVS
(or otherwise) wanted to try their hand at hacking it and submitting a
patch. Most of the offending code should be in the parse_cvsroot()
function in src/root.c and the bulk of the work was already done to
handle proxyport and its brethren.
Get CVS support at <http://ximbiot.com>!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----