Re: [RFC] Adding a challenge-response authentication method to git://

[Andreas Ericsson <ae@op5.se>]

Shawn O. Pearce wrote:
> "Stephen R. van den Berg" <srb@cuci.nl> wrote:
>> I'm not trying to solve all management problems, I'm just trying to
>> offer a simple solution for the small-user-base-central-repository case
>> without a lot of code-bloat on the git side.
>> If it doesn't fit ones needs, use ssh or something else; but it does
>> have its merits for the simple centralised setups.
> 
> OK, then my final two cents, and I'll shutup.
> 
> - Add to git-daemon a new service command, "git-authenticate-user".
> - Clients request "git-authenticate-user 'repository'".
> - The auth_user routine:
> 	enters 'repository' ('ala upload-pack)
> 	execs "git-authenticate-user ."
> 
> - git-authenticate-user:
> 	send pkt-line challenge
> 	recv pkt-line username
> 	recv pkt-line SHA-1(username + password + challenge)
> 	
> 	read gitconfig for "auth.passwordfile"
> 	read passwordfile for entry $username
> 		("user:pass:upload-pack,receive-pack")
> 	verify response
> 
> 	send pkt-line ok/fail
> 	recv pkt-line "git-$service '.'"
> 	check $service is allowed
> 	exec git-$service .
> 

I'd do it like this instead:

daemon: auth_user = dlsym(dlopen("auth-module.so", RTLD_NOW), "authenticat");
client: "git-authenticate action 'repository'"
daemon: send pkt-line challenge
client: send pkt-line username
client: send pkt-line SHA1(username + password + challenge)
daemon: if (auth_user(repository, action, username, password, struct sockaddr_in *inbound))
               allow_connection();

This approach has several nifty benefits:
* The otherwise duplicated code (for different auth schemes) is
  done only once (in the git daemon).
* If the git daemon has no authentication module loaded, we might
  as well not bother sending any challenge and just pretend we do
  not know about the authentication scheme.
* Any kind of authentication scheme can be supported without changing
  the core code. If the authentication module does something wrong,
  one can continue to serve read-only requests by simply unloading
  the module.
* Modules is a great way for newcomers to get started contributing to
  git so it's a nice way of getting more contributors/sub-maintainers.

-- 
Andreas Ericsson                   andreas.ericsson@op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231