On Wed, Mar 28, 2007 at 12:45:04PM -0400, Mike Erdely wrote:
> Joachim Schipper wrote:
> >On Tue, Mar 27, 2007 at 04:49:05PM -0400, Mike Erdely wrote:
> >>I'm trying to get login_ldap to work with cvs pserver (run out of inetd).
> >I think you are misunderstanding some things, or doing something that
> >doesn't work; however, since I've never tried to set up a pserver, you'd
> >best check what I'm going to say next.
>
> I tried to give as much info as I could...
>
> >First, read login.conf(5), and note that just adding the above isn't
> >going to help any. You must define a new login class, at least, and
> >change master.passwd(5) to make sure the appropriate user has your newly
> >defined login class (the value of 'appropriate' depends on whether or
> >not the stuff below is correct...).
>
> I did read login.conf(5) and I must have missed something. But, I think
> you're not understanding how this stuff works:
Quite possibly, hence the above caveat.
> 1. I installed the login_ldap package.
> 2. I added a ldap section to login.conf
> 3. I configured my users to be part of the ldap class (using vipw).
> Users have no local password set.
> 4. I tested using CVS over SSH and it works as expected.
> 5. I tried using pserver and cannot authenticate.
> 6. I set a local password that is different from my ldap password (ssh
> still uses ldap. sudo still uses ldap).
> 7. I tried pserver and was able to authenticate with the local password
> but not ldap's password.
>
> I had previously had a similar problem with ftp until I made this change
> to login.conf:
> - auth-ftp-defaults:auth-ftp=password:
> + auth-ftp-defaults:auth-ftp=-ldap:
>
> >Then, you should have whatever daemon your users use to connect with the
> >usual BSD login mechanism (which might be called bsdauth, or whatever).
> >I don't believe GNU CVS does that, and OpenCVS doesn't do authentication
> >at all. Your best bet is probably setting up ssh; sshd uses the BSD
> >authentication routines by default.
>
> You would think that the daemon would use "the usual BSD login
> mechanism" but ftpd doesn't. And pserver running out of inetd doesn't
> either. I don't know if the fact that I'm using inetd for pserver has
> any bearing on this issue, but I thought giving all information would be
> helpful.
Actually, ftpd does. inetd doesn't do authentication at all, and
pserver... well, see below.
> I know my "best bet" is using ssh. I'd much rather use ssh. But you
> can't always do what you want. Some of my 50 developers are using COTS
> development tools that ONLY know pserver. They don't like it either,
> but it's required for the project they're working on. So, while pserver
> sucks, it's necessary in this case.
>
> >However, unless I am sorely mistaken, by this point, there's no need to
> >set up inetd and what you have is a CVS repository, but *not* a pserver.
>
> What I've decided to do since I can't make this work ('cause I'm an
> idiot) and pserver is insecure and sucks, I'm going to set local
> passwords for users that require pserver that are different from their
> LDAP password. That way, their LDAP password won't go in the clear.
That is a good solution. The problem is, in fact, rather simple: pserver
does, in fact, not use bsd authentication. This is documented in
http://ximbiot.com/cvs/manual/cvs-1.12.13/cvs_2.html#SEC31 and
elsewhere; however, that page also suggests that you could create a
custom password file. Maybe a small script is in order (get 'cvspass'
from LDAP, format text file, mv it over the old one, repeat every x
minutes)?
Anyway, good luck, and let us know if you have any more problems.
Joachim
