Date: Thu, 11 Feb 1999 19:19:05 -0800 (PST) From: John Polstra <jdp@polstra.com> To: committers@FreeBSD.ORG Subject: PLEASE READ: CVSup access to freefall.freebsd.org Message-ID: <XFMail.990211191905.jdp@polstra.com>
next in thread | raw e-mail | index | archive | help
Now that CVSup 16.0 has been released, I would like to move toward
using its new authentication system to control CVSup access to
freefall.freebsd.org. As you know, mirror sites and committers are
allowed to CVSup directly from freefall, while others are limited to
using mirror sites.
Until now, CVSup access to freefall has been controlled by IP address.
That method is a headache for several reasons. First, it doesn't work
at all for committers with dynamically-assigned IP addresses. The
only way those committers have been able to get into freefall has been
by tunneling their CVSup sessions through ssh. Second, every time a
committer or mirror site changes IP addresses for any reason, they
have to coordinate with me to keep their access to freefall's CVSup
services. Third, any network problems that cause DNS lookups to take
a long time are disruptive. They cause the master CVSup server to
block waiting for replies to DNS lookups. While it's blocked that
way, no new connections can be served.
The new authentication system is based on a shared secret (i.e.,
passphrase) known only to the client and the server. By proving that
it knows the passphrase, the client convinces the server that it is
who it says it is. Once you're set up with the new system, you'll
be able to use freefall's CVSup server from multiple machines and/or
change IP addresses without any help from me. That will make me
happy, and it will make you happy too.
Here's how to get yourself set up.
1. Upgrade to CVSup-16.0. The ports ("net/cvsup" and "net/cvsup-bin")
have already been updated for the new version.
2. Choose a client name to identify yourself. This must be an e-mail
address that delivers mail to you and that you expect to be valid for
a good long time. "user@freebsd.org" is one possibility, but if you
prefer to use your own domain that's fine too.
3. Dream up a passphrase to use. You won't have to type it in every
time, so you don't need to make it too short. It can't contain any
":" characters.
4. Run the "cvpasswd" program like this:
cvpasswd clientName freefall.freebsd.org
replacing "clientName" with the e-mail address that you chose in
step 2. (It's case-insensitive.) Follow the instructions that the
program gives you.
You'll end up creating a file "~/.cvsup/auth" containing your
passphrase, among other things. Give this file mode 0600 so that
nobody else can read it.
The "cvpasswd" program will also print out a line and tell you
to send it to your friendly server administrator. That's me,
<jdp@freebsd.org>. Please don't e-mail it, though. Even though it's
scrambled, it could easily be used to impersonate you. If you have
an account on freefall (as all committers do), put the line in a file
in your home directory, and send me mail with the name of the file.
Please give the file mode 0600.
If you don't have an account on freefall but do have a PGP key that
you can convince me is legitimate, then e-mail me the line using PGP.
Otherwise, send me mail and we'll work something out.
I don't want to go overboard trying to be too secure here. After all,
these are publicly available files. The goal of the using the new
authentication mechanism is convenience, not security. On the other
hand, there's no point in being needlessly dumb. :-)
My goal is to get almost everybody switched over to the new mechanism
within the next month or so. Thanks in advance for your cooperation!
John
---
John Polstra jdp@polstra.com
John D. Polstra & Co., Inc. Seattle, Washington USA
"Nobody ever went broke underestimating the taste of the American public."
-- H. L. Mencken
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990211191905.jdp>