Re: PAM authentication patch - v2

[Derek Robert Price]

Brian Murphy wrote:

> Derek Robert Price wrote:
>
> > Brian, your patch looked good, though I haven't attempted to install 
> > it yet, but it will still need manual (doc/cvs.texinfo) additions 
> > before it can be committed.
>
> How is this?


Now that I'm thinking about it, how about installing a default 
/etc/pam.d/cvs file which duplicates the old system password behavior 
when CVS is compiled to use PAM?

> Index: doc/cvs.texinfo
> ===================================================================
> RCS file: /cvs/cvs/doc/cvs.texinfo,v
> retrieving revision 1.1.1.2
> retrieving revision 1.3
> diff -u -r1.1.1.2 -r1.3
> --- doc/cvs.texinfo     13 Apr 2003 20:34:16 -0000      1.1.1.2
> +++ doc/cvs.texinfo     16 Apr 2003 16:25:45 -0000      1.3
> @@ -2489,13 +2489,41 @@
> the username and password using the operating system's
> user-lookup routines (this "fallback" behavior can be
> disabled by setting @code{SystemAuth=no} in the
> -@sc{cvs} @file{config} file, @pxref{config}).  Be
> -aware, however, that falling back to system
> +@sc{cvs} @file{config} file, @pxref{config}).
> +
> +The default fallback behaviour is to look in 
> +@file{/etc/passwd} for this system password but if your
> +system has PAM - Pluggable Authentication Modules - then

...and CVS is configured to use it at compile time...

> +cvs will use that instead. This means that with a 
> +global configuration file usually @file{/etc/pam.conf}
> +or possibly @file{/etc/pam.d/cvs}
> +you can tell cvs to use LDAP or normal UNIX passwd 
> +authentication or many other possibilities - see your
> +PAM documentation for details. CVS needs an "auth" 
> +and "account" module in the PAM configuration file. 
> +Using PAM gives the system administrator much more 
> +flexibility in how cvs users are authenticated but 
> +no more security than other methods, see below.
> +
> +Be aware, however, that falling back to system
> authentication might be a security risk: @sc{cvs}
> operations would then be authenticated with that user's
> regular login password, and the password flies across
> the network in plaintext.  See @ref{Password
> authentication security} for more on this.
> +This may be more of a problem with PAM authentication
> +because it is likely that the source of the system 
> +password is some central authentication service like
> +LDAP which is also used to authenticate other services.
> +On the other hand PAM makes it very easy to change 
> +your password regularly - this is impossible to do 
> +for a user authenticated via cvs' private password file
> +without total access to the @file{CVSROOT/passwd} file 
> +, i.e. the user needs all rights to the repository to 
> +allow password change which in my experience means 
> +the password never gets changed, see below. Users are
> +much more willing to change their password regularly
> +if they only have to remember one. 
>
> Right now, the only way to put a password in the
> @sc{cvs} @file{passwd} file is to paste it there from
>  

At that, typical contents (/etc/passwd authenticating) for 
/etc/pam.d/cvs should be listed in the manual like we do for inetd.

Derek

--
               *8^)

Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
--
I did not see Elvis.
I did not see Elvis.
I did not see Elvis...

         - Bart Simpson on chalkboard, _The Simpsons_