[cvsnt] cvs login should only work with PSERVER (was: Trouble remotely checking out files from the CVS server)
tony.hoyle at march-hare.com
Tue Mar 25 00:23:55 GMT 2008
Arthur Barrett wrote:
> Even if there is a global option (--use-cvspass ?) to allow it?
We have a global option.. it's called the login command! If you don't
issue it it doesn't store passwords (there is also the corner case of
passwords in scripts, which some do rely on)
The problem is you break every single UI out there if you change
something so fundamental.
> The two most 'controversial' ideas I've had of late are disabling
> :local: and disabling .cvspass, and they both fall into the same
> category - they are fine for people who know what they are doing - but
> people who do not come to poor conclusions - eg: that acls don't work
> (since :local: is always admin) or that passwords are insecure. How far
> do we go to protect people from themselves?
:local: is not always admin, but they are always the same as the logged
in user (ie. you can't change username). What it does do is bypass
repository registration by using absolute paths instead of aliases -
fixed in evs (so local behaves exactly like all other protocols now).
Passwords are more insecure than no stored passwords, but not totally
so. :pserver: sends them in plaintext so that increases the insecurity.
I've personally never had issues with people storing ssh passwords
locally for example.
On Unix we could check/set the permissions of the cvspass file better
(should be rw to owner only and enforced as such) but it's no less
secure than ssh+certificates given that caveat.
The threat model is based on the idea that the client is secure but bad
guys can sniff the link. If you define a threat model where the client
is compromised we have to design a whole new system of login. cvsagent
goes some way to handle it but doesn't really address that scenario
directly (but even that needs timeouts to be truly useful - it should
ditch the stored password after 5 minutes or so to avoid the 'hacked
during lunch break' scenario).
> The question is - how much do we inconvenience the experienced people
> for the sake of the new users/people who jump to (incorrect)
We need to push people more towards sspi and ssh, and make pserver a
last resort option somehow - but I haven't thought of a way that'll do
that without creating huge amounts of support requests.
It's also possible there's a case to disable support for non-system
users. This would eliminate the CVSROOT/passwd file which is a source
of some confusion. And make ACLMODE=Normal the default sometime (which
IMO is why people get the idea that ACLs don't work, because by default
they work in an opposite fashion to system ACLs).
Whether this belongs in a stable tree though is debatable.
More information about the cvsnt