Date: Fri, 28 Jul 2000 10:55:39 +0100 From: David Malone <dwmalone@maths.tcd.ie> To: stable@freebsd.org Cc: dwmalone@maths.tcd.ie Subject: Re: rdist and pam Message-ID: <200007281055.aa78980@salmon.maths.tcd.ie> In-Reply-To: Your message of "Thu, 27 Jul 2000 21:53:19 PDT." <200007280453.VAA25263@vashon.polstra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> So you want to do ssh-style authentication, but not actually tunnel
> the connection through ssh -- is that what you mean? You can force
> ssh authentication if you tunnel the connection through it, because
> you can make the cvsupd server bind only to localhost.
Basically what we want is something like RsaRhosts - if you trust
root@remote.machine you can be sure about the username of the person
at the far end. Ordinary users have shell access to both the server
machine and the clients, and we don't want users to be able to
cvsup the unreadable files so we need to know it's root@remote.machine
we're talking to.
> I should mention that ssh does support a challenge-response
^^^
I presume you mean cvsup here.
> authentication which I believe to be strong. It's not public key,
> though. It relies on a shared secret.
It should be suitable for this, but it means abother set of secrets
to have to manage. All the machines have ssh keypairs and if some
can spoof IP address and steal our ssh keypairs we're already
shafted.
> Well, I should tone down that warning, because there is no risk as
> far as I know.
I didn't think the warning was likely to be a serious issue, but
while the warning is there people are likely to be reluctant to
use it incase they get a "Well - the man page says you shouldn't
do that", if things do wrong.
> > 3) I wasn't sure if you can adjust what gets pushed out to
> > clients from a central config file. We have per
> > machine exceptions.
> Actually I am testing just that sort of feature now, in preparation
> for the next release. :-)
Cool - sounds useful. How far through this are you? If you're
interested I can send you some examples of how we use per-machine
exceptions here, which might give you some ideas.
> > 4) It doesn't read distfiles ;-)
> Pbltpbltpblt! Rdist doesn't read supfiles. :-)
Someday, when I have lots of time, I'll write a converter which
does rdist<->rsync<->cvsup.
> Yep, it's some strange interaction between some window managers and
> the M3 graphics library. It's mentioned in the BUGS section of
> cvsup(1).
I'll try to find a similar workaround for tvtwm - should I let you
know if I find one?
David.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi? <200007281055.aa78980>