Re: non-interactive user authentication

From: Paul Lussier <pll_at_lanminds.com>
Date: 2002-10-08 16:14:33 CEST

In a message dated: 07 Oct 2002 22:24:10 BST
Philip Martin said:

>> Right, so once their script fails with the empty uname/password, they can set
>> it up to use a cached one.
>
>How do they do that if there is never a prompt? The security risk is
>not just putting the stuff in a script, it's also a risk putting it on
>the process's command line where it is visible to other processes.

Well, using ssh again as an example, there is ssh-agent which caches
my usernames and passphrases for a variety of systems and identities.

When I need to ssh or rsync from/to another system, I'm never
prompted for any credentials, ssh simply queries the ssh-agent which
has them securely cached (i.e. there's no command line which might
show up in 'ps' output).

Since CVS has the CVS_RSH command, I've often taken advantage of
setting that to 'ssh', which again, will query ssh-agent.

Yes, the user still has to input a username and passphrase, for which
they are prompted, but not by cvs or rsync, but by ssh-agent when
that gets fired up.

-- 
Seeya,
Paul
--
	It may look like I'm just sitting here doing nothing,
   but I'm really actively waiting for all my problems to go away.
	 If you're not having fun, you're not doing it right!
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Tue Oct 8 16:15:18 2002

This message: [ Message body ]
Next message: Philip Martin: "Re: Problem running log"
Previous message: Philip Martin: "Re: 'svn propget -R' output difficult to parse"
Maybe in reply to: Jeff Putsch: "non-interactive user authentication"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]