Index:
[thread]
[date]
[subject]
[author]
From: Aaron Van Couwenberghe <vanco@sonic.net>
To : ggi-develop@eskimo.com
Date: Sat, 13 Feb 1999 08:36:58 -0800
Re: CVS maintainer?
On Sat, Feb 13, 1999 at 02:02:01PM +0100, Emmanuel Marty wrote:
> Hi Aaron,
>
> Hope Berlin development is going well :)
>
sluggish but coming along. I personally don't know enough to carry it while
everyone is tending to other needs, but development will pick up again soon
enough ;)
>
> Here I am. What do you want to know? If it is, how to have a lot of cvs
> accounts (that can be read/write or read/only on an account basis) without
> creating actual system accounts, it is very easy. In the CVSROOT/ directory
> of your repository (where you have the history, modules etc files), create
> a file called "passwd" with the format "cvsuser:cryptedpass:systemuser".
> cvsuser is the account name you give to the person, cryptedpass is an
> unix crypted password (there is currently no way to generate it with cvs,
> so just copy it from /etc/shadow or /etc/passwd), systemuser is the actual
> user the cvs daemon will run as, when spawned by this cvs user. For GGI,
> all cvs users run under the same system user as we're all civilized and
> do not delete things randomly, and sometimes people want to correct things
> in other people's code. But you can use several if you like.
>
currently berlin's repo is set up similarly. one account. We're using the
rsh method (with rsh=ssh) which requires one system acct per cvs acct. Do
you know of any way to set up multiple rw accts using a strong encryption
mechanism such as ssh or ssl? I mean, without needing one system acct per
cvs acct?
I'm examining this b/c it's just hard right now to tell who is doing
what, unless they follow a specified log format. Not exactly a major need,
but I was just seeing if I could figure it out ;)
>
> Hope this is what you wanted to know, else feel free to ask more :)
>
I'd like to know how secure the password method is... Are the passwords
crypt()ed at the cvs server's end? if so, you're transmitting passwords
cleartext. If they are crypt()ed locally, the possibility for trojan is
hanging right out..
Perhaps there's a way to bottle everything up inside a ssh session,
or a tcp stream that's transparently encrypted via SSL. I know
someone that I think is looking into the latter.
Yes, berlin used to use pserver. But graydon felt insecure using it,
so we switched. I personally agreed completely with that move ;)
--
..Aaron Van Couwenberghe... ..vanco@sonic.net.. ..aaronv@debian.org....
Berlin: http://www.berlin-consortium.org
Debian GNU/Linux: http://www.debian.org
Nullum magnum ingenium sine mixtura dementiae fuit. -- Seneca
Index:
[thread]
[date]
[subject]
[author]