From owner-cvs-all Thu Feb 11 19:19:15 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA07858 for cvs-all-outgoing; Thu, 11 Feb 1999 19:19:15 -0800 (PST) (envelope-from owner-cvs-all@FreeBSD.ORG) Received: from wall.polstra.com (rtrwan160.accessone.com [206.213.115.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA07852; Thu, 11 Feb 1999 19:19:11 -0800 (PST) (envelope-from jdp@polstra.com) Received: from vashon.polstra.com (vashon.polstra.com [206.213.73.13]) by wall.polstra.com (8.9.1/8.9.1) with ESMTP id TAA10489; Thu, 11 Feb 1999 19:19:10 -0800 (PST) (envelope-from jdp@polstra.com) Received: (from jdp@localhost) by vashon.polstra.com (8.9.1/8.9.1) id TAA57231; Thu, 11 Feb 1999 19:19:05 -0800 (PST) (envelope-from jdp@polstra.com) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Thu, 11 Feb 1999 19:19:05 -0800 (PST) Organization: Polstra & Co., Inc. From: John Polstra To: committers@FreeBSD.ORG Subject: PLEASE READ: CVSup access to freefall.freebsd.org Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk Now that CVSup 16.0 has been released, I would like to move toward using its new authentication system to control CVSup access to freefall.freebsd.org. As you know, mirror sites and committers are allowed to CVSup directly from freefall, while others are limited to using mirror sites. Until now, CVSup access to freefall has been controlled by IP address. That method is a headache for several reasons. First, it doesn't work at all for committers with dynamically-assigned IP addresses. The only way those committers have been able to get into freefall has been by tunneling their CVSup sessions through ssh. Second, every time a committer or mirror site changes IP addresses for any reason, they have to coordinate with me to keep their access to freefall's CVSup services. Third, any network problems that cause DNS lookups to take a long time are disruptive. They cause the master CVSup server to block waiting for replies to DNS lookups. While it's blocked that way, no new connections can be served. The new authentication system is based on a shared secret (i.e., passphrase) known only to the client and the server. By proving that it knows the passphrase, the client convinces the server that it is who it says it is. Once you're set up with the new system, you'll be able to use freefall's CVSup server from multiple machines and/or change IP addresses without any help from me. That will make me happy, and it will make you happy too. Here's how to get yourself set up. 1. Upgrade to CVSup-16.0. The ports ("net/cvsup" and "net/cvsup-bin") have already been updated for the new version. 2. Choose a client name to identify yourself. This must be an e-mail address that delivers mail to you and that you expect to be valid for a good long time. "user@freebsd.org" is one possibility, but if you prefer to use your own domain that's fine too. 3. Dream up a passphrase to use. You won't have to type it in every time, so you don't need to make it too short. It can't contain any ":" characters. 4. Run the "cvpasswd" program like this: cvpasswd clientName freefall.freebsd.org replacing "clientName" with the e-mail address that you chose in step 2. (It's case-insensitive.) Follow the instructions that the program gives you. You'll end up creating a file "~/.cvsup/auth" containing your passphrase, among other things. Give this file mode 0600 so that nobody else can read it. The "cvpasswd" program will also print out a line and tell you to send it to your friendly server administrator. That's me, . Please don't e-mail it, though. Even though it's scrambled, it could easily be used to impersonate you. If you have an account on freefall (as all committers do), put the line in a file in your home directory, and send me mail with the name of the file. Please give the file mode 0600. If you don't have an account on freefall but do have a PGP key that you can convince me is legitimate, then e-mail me the line using PGP. Otherwise, send me mail and we'll work something out. I don't want to go overboard trying to be too secure here. After all, these are publicly available files. The goal of the using the new authentication mechanism is convenience, not security. On the other hand, there's no point in being needlessly dumb. :-) My goal is to get almost everybody switched over to the new mechanism within the next month or so. Thanks in advance for your cooperation! John --- John Polstra jdp@polstra.com John D. Polstra & Co., Inc. Seattle, Washington USA "Nobody ever went broke underestimating the taste of the American public." -- H. L. Mencken To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message