Re: Proposal: have client CVS send remote username to server CVS

[Derek R. Price]

Noel L Yap wrote:

> Yes, I still think authentication stuff should be left out of CVS.  Instead
> something pluggable should exist.
>
> For example, if instead of the password authentication protocol you suggest, I
> wanted to use SRP (so that the password isn't sent over the wire at all) or SSH,
> I'd be dead in the water.

I can't really object to a pluggable solution which implements your desired
functionality, but I would not like to see such an insecure mechanism become part
of the main CVS executable or be easy for a user to apply without being aware of
the possible consequences and drawbacks.

Again, I haven't examined Alex's nserver mechanism closely, but if it supports PAM,
you should already have hooks available to plug in some other authentication
module.

As a side topic, has anybody with commit access to the CVS tree examined Alex's
nserver model and code for inclusion?

Derek

--
Derek Price                      CVS Solutions Architect ( http://CVSHome.org )
mailto:[EMAIL PROTECTED]     OpenAvenue ( http://OpenAvenue.com )
--
I did not see Elvis.
I did not see Elvis.
I did not see Elvis...

          - Bart Simpson on chalkboard, _The Simpsons_