Re: Proposal: have client CVS send remote username to server CVS

[Noel L Yap]

[EMAIL PROTECTED] on 2000.07.22 09:15:17
>>>>>> "NLY" == Noel L Yap <[EMAIL PROTECTED]> writes:
>
>NLY> How do you guarantee that CVSUSER is set properly (ie can't be
>NLY> spoofed)?
>
>Because it is verified against CVSROOT/cvspasswd file (it is extended
>and improved analog of CVSROOT/passwd from stock CVS).  Each cvs user
>has an entry there, with her very own password.
>
>NLY> PS I chose REMOTE_USER 'cos that's what Encommerce sets.  I
>NLY> haven't figured a way to spoof Encommerce's REMOTE_USER setting,
>NLY> but, then again, I'm not an expert hacker.
>
>I just wanted to explicitly state that the value of CVSUSER is being
>setup via pure CVS facilities, namely :pserver: auth protocol.  They
>are verified by separate binary, and only if they are verified, `cvs'
>binary itself is run and uses it.

I guess the ideal way is if CVS allowed for pluggable authentication.  There'd
be no need for my proposal and patch if this were the case.

Noel



This communication is for informational purposes only.  It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.