Alexey Mahotkin wrote:
> >>>>> "NLY" == Noel L Yap <[EMAIL PROTECTED]> writes:
>
> >> If OpenSSH client will always send wrong info (I mean username and
> >> password here), then cvs-server will never authenticate it ;)
>
> NLY> I think we're arguing different points here. My point is that
> NLY> the OpenSSH client can send over a valid CVS username and
> NLY> password. It's just that the username/password doesn't belong to
> NLY> the client.
>
> I can't understand how you can call "valid" u/p that do not belong to
> the client. Who thinks of them as valid?
[snip]
> --alexm
>
> P.S.: Derek, could you please make any conclusion or summary out of
> our long enough and learned enough dispute? ;)
I think Noel is referring still to the SSH client authenticating as a
single UNIX user but then attempting to map to many CVS users. I have
been objecting to the part, as I understand the request and as I think
you understood it, about not requiring passwords or other
secure/semi-secure methods for the second phase authentication. I
haven't studied your nserver model yet, but the conventional CVS has no
2-phase authentication methods available. If it is using any :ext:
method (RSH, SSH, etc.) or pserver, the originally authenticated user
name is what you will see in the logs, though you can map to a secondary
user which the CVS server will run under - convenient for file
permissions, though I would usually rather map each user to their own
user ID and rely on the OSs users, groups, & file permissions to do that
job.
I'm not sure Noel understands what we mean by authenticate. I just said
this in a previous email, but an SSH server is relying on a standardized
protocol and a password known (in theory) only to it and a particular
user. It is irrelevant if an OpenSSH client has been hacked, because a
malicious user with a "pure" client could have obtained the same
information if they already had the user's password (or private key in
some cases) and a "hacked" client which didn't have the correct password
or which didn't support the protocol properly couldn't have authenticated
anyhow.
Derek
--
Derek Price CVS Solutions Architect
mailto:[EMAIL PROTECTED] OpenAvenue ( http://OpenAvenue.com )
--
The home town of American Olympic Champion skier, Picabo Street, has
decided to recognize their "favorite daughter" by naming the new wing
of the local hospital in her honor. That wing, which will include a
state-of-the-art Intensive Care Unit, will hereafter be known as the
"Picabo, ICU".
