[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials Caching - Security Guy Not Happy

From: Max Bowsher <maxb_at_ukf.net>
Date: 2004-08-26 12:56:48 CEST

Peter Valdemar Mørch wrote:
> Max Bowsher maxb-at-ukf.net |Lists| wrote:
>> I haven't done it myself, but I'd be surprised if there wasn't a way
>> to gat PAM (and therefore ssh, and therefore svn+ssh) authenticating
>> against the AD.
>
> Patrick Smears patrick.smears-at-ensoft.co.uk |Lists| wrote:
>> I was just about to suggest this... I don't have much experience with
>> AD, but it's certainly fairly easy to have SSH authenticate against
>> an NT domain... look up the "pam_smb.auth.so" PAM module.
>
> ssh without ssh-add, yes. But that would require password prompting on
> every operation just like for http://
>
> But not ssh-agent. ssh-agent asks for the password embedded in
> the (local) private key file, not the one stored in /etc/password or in
> PAM or whereever on the remote machine. If the key file has a password,
> no amount of Active Directory will open it without the password, and if
> the key file doesn't have a password, it would be possible to use it
> without any Active Directory checking.
>
> Or so I think, anyway! :-D

You are right, I wasn't thinking clearly.

Max.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 26 12:58:21 2004

This is an archived mail posted to the Subversion Users mailing list.