[Cvsnt] Re: user-aliases ? - PARTIALLY WORKING NOW
Bo Berglund
bo.berglund at telia.com
Tue Apr 2 22:48:44 BST 2002
On Tue, 2 Apr 2002 21:04:57 +0000 (UTC), Brian Smith
<brian-l-smith at uiowa.edu> wrote:
>Bo Berglund wrote:
>> On Tue, 2 Apr 2002 18:24:43 +0000 (UTC), Brian Smith
>> <brian-l-smith at uiowa.edu> wrote:
>>
>>
>>
>> I hope still only logins listed in the passwd file gets past the sspi
>> authentication?
>
>No, the passwd file is only for :pserver:. When you are using :sspi: you
>are saying you want to be authenticated by the domain, not by the passwd
>file. In fact, in :sspi: mode you are actually authenticated before the
>server even knows what the the requested CVSROOT root is.
>
>Remember, the passwd file is only for authentication, not authorization.
>
>- Brian
>
Well, not quite so with CVSNT. I agree to a point because the passwd
file does not carry any authentication data like passwords or so to be
used with ntserver and sspi for example.
BUT any user that wants to use cvs has to be listed in the passwd file
(login name only, no password) in order to be accepted. If he is found
there then CVSNT goes on to the domain or local system user database
to verify him.
A user not listed in the passwd file will not be able to use CVSNT at
all.
This was not so in 1.10.8 but was included in some level of 1.11.1 and
according to Tony it adheres to the way main CVS works.
This is a very good way to keep tabs on who can use cvs and who
cannot. I for one don't want just any casual domain user able to check
out our software base. So I rely on the passwd file stopping this from
happening even though I use ntserver protocol. I am thinking of moving
them over to sspi, but not if I lose this screening ability.
/Bo
/Bo
(Bo Berglund, developer in Sweden)
_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
More information about the cvsnt
mailing list