Alexey Mahotkin wrote:
> It almost cleanly applies to cvs-1.10.8 and, as the matter of fact, the new
> release of cvs-nserver will be against 1.10.8. The most significant
> modification of original code is the removal of about 600 lines from
> server.c, yet it is still way, way too long.
Ahh... server.c is the most heavily modified part of cvsnt (Essentially I had to
rewrite
half of it to use threads rather than forking). Much fun ahead, methinks...
> There is an obvious task to improve server.c by splitting kerberos- and
> GSSAPI-related code from it thus creating cvs-kserver and cvs-gserver.
> There is probably also need to create cvs-sslserver (I have not
> investigated yet whether we could get along with ssl-tunnel'ed server (we
> surely can not get along with ssl-tunneled client as it almost has nothing
> to tunnel)).
For NT you would also need cvs-ntserver. It might be worth investigating whether
cvs-kserver could be ported to NT too (although the MS documentation on this is worse
than useless).
> It seems to me that checkpassword scheme is sub-perfect for NT though I
> could be wrong. I've tried to research security aspects of NT but has not
> reached considerable results. And after I learned about your project and
> changed job recently hoping not to see MS in a lifetime no more (though it
> seems like I will have to anyway) I completely relaxed and thought that I'd
> be better off with CVS under UNIX. Though I will be glad if nserver will
> influence the development of NT-CVS or vice versa.
Under NT you can't do setuid, and you can't check against a pre-encrypted system
password. The only
way to validate a password is to attempt a non-interactive login (after which you can
change you UID
to it). Of course this means you need the original plain-text password to work, and
this has security
implications. There isn't a way around this as far as I can see.
Tony
--
#define QUESTION ((bb) || !(bb)) - Shakespeare
[EMAIL PROTECTED]
