[cvsnt] Re: Windows vs Linux: Authentication

nick.minutello at uk.bnpparibas.com nick.minutello at uk.bnpparibas.com
Wed Nov 24 11:16:02 GMT 2004 


Thanks for the reply.


>> If you set it to allow this (SystemAuth=Yes) than that is what
happens... :)

Hmm, that line in the CVSROOT/config file is commented out in all
repositories

# SystemAuth=Yes    (cvsnt 2.x -created repo)
# SystemAuth=No    (cvsnt 1.1x -created repo)


>> If SystemAuth=Yes the passwd file is not used except to provide pserver
>> passwords.  If a user/password isn't in the passwd file their domain
>> password is used.
Ok. Its starting to make sense. (except for the fact that SystemAuth=* is
commented out)

>> However it's *strongly* recommended
>> that you don't use domain passwords with pserver as it's trivial to
>> sniff them over the wire.
(NTLM isnt that hard to sniff either ;-) - but point taken)

>> CVSNT for Linux supports SSPI via winbind (but not SSPI encryption) and
>> authentication via PAM provided the linux machine is a member of the
>> domain and configured correctly... if you've not done it before and are
>> unfamiliar with Linux get an expert in (or CVSNT support contract!).

I think we are going to go the simple approach and use the passwd file..
Create cvs admin accounts per repo so they can edit it...

-Nick







Internet
tmh at nodomain.org@cvsnt.org - 24/11/2004 01:17


Sent by:    cvsnt-bounces at cvsnt.org



To:    cvsnt

cc:


Subject:    [cvsnt] Re: Windows vs Linux: Authentication


nick.minutello at uk.bnpparibas.com wrote:
> Now, more recently, I have discovered that (using tortoisecvs), I can
> authenticate (still using pserver) using my nt password (for domain NT
> account)

If you set it to allow this (SystemAuth=Yes) than that is what happens...
:)

> 1) does the nt authentication only work if using cvsnt client (ie
> tortoise)? (I am pretty sure our intellij users are also using their
domain
> passwords..)

Not for pserver..anyone can use it.  However it's *strongly* recommended
that you don't use domain passwords with pserver as it's trivial to
sniff them over the wire.

Use sserver, sspi or gserver if you're using domain authenication - sspi
is recommended for simplicity, gserver (provided everyone is in the
active directory) for security.

> 2) is the passwd file required at all if using nt authentication with
> pserver?

If SystemAuth=Yes the passwd file is not used except to provide pserver
passwords.  If a user/password isn't in the passwd file their domain
password is used.

> Now, we are planning to move our server to a new linux (redhad AS)
server.
> Is the passwd file the recommended approach on linux (we prefer admin
> simplicity over tight security)?
> Will NT auth work on linux?

CVSNT for Linux supports SSPI via winbind (but not SSPI encryption) and
authentication via PAM provided the linux machine is a member of the
domain and configured correctly... if you've not done it before and are
unfamiliar with Linux get an expert in (or CVSNT support contract!).

sserver and gserver are supported in the same way (gserver can be
configured to use the Active Directory to autenticate, but that's a bit
difficult to set up).

Tony
_______________________________________________
cvsnt mailing list
cvsnt at cvsnt.org
 http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt



This message and any attachments (the "message") is 
intended solely for the addressees and is confidential. 
If you receive this message in error, please delete it and 
immediately notify the sender. Any use not in accord with
its purpose, any dissemination or disclosure, either whole 
or partial, is prohibited except formal approval. The internet 
can not guarantee the integrity of this message. 
BNP PARIBAS (and its subsidiaries) shall (will) not 
therefore be liable for the message if modified. 

**********************************************************************************************

BNP Paribas Private Bank London Branch is authorised 
by CECEI & AMF and is regulated by the Financial Services
Authority for the conduct of its investment business in the
United Kingdom.

BNP Paribas Securities Services London Branch is authorised
by CECEI & AMF and is regulated by the Financial Services
Authority for the conduct of its investment business in the 
United Kingdom.
  
BNP Paribas Fund Services UK Limited is authorised and 
regulated by the Financial Services Authority.

More information about the cvsnt mailing list