Hello,
i'm still thinking about rewriting the CVS authentication
method to make the remote CVS access method "pserver" more
secure.
Planned changes.
---------------
I'm going to write an external program, seperated from
the CVS source, which only wraps the pserver
authentication protocol. Its name will we "cvs-auth".
Then, after authentication,
it dup's the necessary input output streams (stdin, stderr,..)
and starts the local CVS program under an authenticated user id.
To identify users _names_ instead of the authenticated id,
it appends (during the fork) something like this -u log_username
For this it is necessary to have a small patch in subr.c in
the getcaller functions.
After the fork and the dup'ed streams it _should_ work
the same as the remote access methode (currently this is unchecked,
maybe this is wrong?)
The benefit of this system is:
* For every repository only two uids (for read only,write only)
* users can see who has changed what.(CVS_username is currently a :pserver
only thing)
* mutiple repositories on the same server
(because its safe to run "cvs-auth" as root)
* users can never add new members to cvs (possible over .ssh, and pserver)
Disadvantages:
* The password/changes are transfered in clear text.
(Maybe its possible to wrap cvs-auth another time with ssh,
but I`m not sure about this)
Possible enhancements:
* make cvs-auth a pam module?
* query the user/repository/password tokens from a NIS/NIS+ table?
* sshd for port 2401?
Please feel free to comment.I posted a similar mail on
cvs-devel which produced no helpful information.
regards,
Martin
