>>>>> "NLY" == Noel L Yap <[EMAIL PROTECTED]> writes:
>> I haven't studied your nserver model yet, but the conventional CVS
>> has no 2-phase authentication methods available.
NLY> IMHO, it shouldn't have any authentication. Authentication
NLY> should be left to secure software.
Please, take a look at cvs-nserver patches and decide for yourself,
would you trust two binaries, 200 lines of straight-forward code each,
most of that is error handling?
I have uploaded patch from cvs-1.10.8 to cvs-nserver-1.10.8.3:
http://alexm.here.ru/cvs-nserver/download/cvs-nserver-1.10.8.3.diff.gz (600k)
CONCISE GUIDE TO CVS-NSERVER PATCHES
or
It Just Looks Big (tm)
0. Code changes are mostly additions of entire files or removal of
large pieces of code. diff-file is overwhelming 44000 lines long, but
mostly it is changes in doc/*.ps and doc/*.info files (phew!).
1. large chunk of server.c code (~600 lines) was removed as it is
duplicated in cvs-pserver.c and authenticators (cvschkpw and
checkpassword).
Some chunk of code was added to client.c, increasing its bloat,
which handles :nserver: protocol (do not use it).
Rather big piece of code was eliminated from root.c, which supported
--allow-root option. Also root.c completely overworks parse_cvsroot()
routine, (this is covered in portnumbers patch).
2. cvs-pserver.c was written from scratch (<200 lines). It receives
from remote client
BEGIN AUTH REQUEST
user
password
/repository
END AUTH REQUEST
sets up CVSUSER and REPOSITORY env vars and runs authenticator
(checkpassword or cvschkpw), piping it the user and password.
3. cvs-nserver (<200 lines) was written for scratch and is the
experimental protocol (it was written mostly to force proper layering
of logic and should not be used yet).
4a. checkpassword/ directory contains D. J. Bernstein's
http://cr.yp.to/checkpwd.html checkpassword utility. Those who trust
not djb's code should be dragged to hell. Although I hacked it a bit
(djb sometimes acts strangely, as it befits A Holy One, and does not
setup supplementary groups thus causing grievery to cvs repository
admin). I had to take a sin upon myself and reword The Blessed Code.
Maybe I will have to rewrite ActiveX internals one day, who knows.
There is also a hack to support PAM, taken from www.qmail.org.
4b. cvschkpw.c (~250 lines) is another authenticator with the same API
described in http://cr.yp.to/checkpwd.html. It authenticates cvs
username against CVSROOT/cvspasswd file.
Both 4a and 4b verify cvs username, setuid() proper cvs server account
and run `cvs pserver' command itself under the proper privileges.
5. Mostly all other code is written to support `cvs passwd' command
for administering the CVSROOT/cvspasswd file.
--alexm
