Re: Proposal: have client CVS send remote username to server CVS

[Noel L Yap]

[EMAIL PROTECTED] on 2000.07.22 10:07:10
>>>>>> "NLY" == Noel L Yap <[EMAIL PROTECTED]> writes:
>
>>> I haven't studied your nserver model yet, but the conventional CVS
>>> has no 2-phase authentication methods available.
>
>NLY> IMHO, it shouldn't have any authentication.  Authentication
>NLY> should be left to secure software.
>
>Please, take a look at cvs-nserver patches and decide for yourself,
>would you trust two binaries, 200 lines of straight-forward code each,
>most of that is error handling?

Yes, I still think authentication stuff should be left out of CVS.  Instead
something pluggable should exist.

For example, if instead of the password authentication protocol you suggest, I
wanted to use SRP (so that the password isn't sent over the wire at all) or SSH,
I'd be dead in the water.

Noel




This communication is for informational purposes only.  It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.