From owner-freebsd-stable Fri Jul 28 2:55:49 2000 Delivered-To: freebsd-stable@freebsd.org Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11]) by hub.freebsd.org (Postfix) with SMTP id 0413C37C296 for ; Fri, 28 Jul 2000 02:55:42 -0700 (PDT) (envelope-from dwmalone@maths.tcd.ie) Received: from bell.maths.tcd.ie by salmon.maths.tcd.ie with SMTP id ; 28 Jul 2000 10:55:39 +0100 (BST) To: stable@freebsd.org Cc: dwmalone@maths.tcd.ie Subject: Re: rdist and pam In-reply-to: Your message of "Thu, 27 Jul 2000 21:53:19 PDT." <200007280453.VAA25263@vashon.polstra.com> X-Request-Do: Date: Fri, 28 Jul 2000 10:55:39 +0100 From: David Malone Message-ID: <200007281055.aa78980@salmon.maths.tcd.ie> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > So you want to do ssh-style authentication, but not actually tunnel > the connection through ssh -- is that what you mean? You can force > ssh authentication if you tunnel the connection through it, because > you can make the cvsupd server bind only to localhost. Basically what we want is something like RsaRhosts - if you trust root@remote.machine you can be sure about the username of the person at the far end. Ordinary users have shell access to both the server machine and the clients, and we don't want users to be able to cvsup the unreadable files so we need to know it's root@remote.machine we're talking to. > I should mention that ssh does support a challenge-response ^^^ I presume you mean cvsup here. > authentication which I believe to be strong. It's not public key, > though. It relies on a shared secret. It should be suitable for this, but it means abother set of secrets to have to manage. All the machines have ssh keypairs and if some can spoof IP address and steal our ssh keypairs we're already shafted. > Well, I should tone down that warning, because there is no risk as > far as I know. I didn't think the warning was likely to be a serious issue, but while the warning is there people are likely to be reluctant to use it incase they get a "Well - the man page says you shouldn't do that", if things do wrong. > > 3) I wasn't sure if you can adjust what gets pushed out to > > clients from a central config file. We have per > > machine exceptions. > Actually I am testing just that sort of feature now, in preparation > for the next release. :-) Cool - sounds useful. How far through this are you? If you're interested I can send you some examples of how we use per-machine exceptions here, which might give you some ideas. > > 4) It doesn't read distfiles ;-) > Pbltpbltpblt! Rdist doesn't read supfiles. :-) Someday, when I have lots of time, I'll write a converter which does rdist<->rsync<->cvsup. > Yep, it's some strange interaction between some window managers and > the M3 graphics library. It's mentioned in the BUGS section of > cvsup(1). I'll try to find a similar workaround for tvtwm - should I let you know if I find one? David. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message