Re: Switching to Git

Re: Switching to Git

[Sam Vilain]

Ævar Arnfjörð Bjarmason wrote:
> Yes see [1] it works but the list members wanted some tool to manage
> passwords too which I didn't pursue since it worked for me in its
> present form.
> 
> 1. http://lists-archives.org/git/640574-authentication-support-for-pserver.html

Cool, well done.  Having re-read that thread, I think Martin Langhoff's
response
http://lists-archives.org/git/641074-authentication-support-for-pserver.html
is the most pertinent.  I didn't see any requests for an actual tool to
be written, just that the password file be separate to the git config
file, and/or use crypt() to store its contents.  Perhaps point them at
"htpasswd" if they want a tool :)

This patch is untested and sits on top of the previous patch by Ævar.
Pullable from git://git.catalyst.net.nz/git.git#cvsserver-auth

Subject: [PATCH] git-cvsserver: use a password file cvsserver pserver

If a git repository is shared via HTTP, the config file is typically
visible.  Use an external file instead.
---
 Documentation/git-cvsserver.txt |   21 ++++++++++++++++-----
 git-cvsserver.perl              |   27 ++++++++++++++-------------
 2 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/Documentation/git-cvsserver.txt b/Documentation/git-cvsserver.txt
index 98183d4..c642f12 100644
--- a/Documentation/git-cvsserver.txt
+++ b/Documentation/git-cvsserver.txt
@@ -97,16 +97,27 @@ looks like
 ------
 
 Only anonymous access is provided by pserve by default. To commit you
-will have to create pserver accounts, simply add a [gitcvs.users]
-section to the repositories you want to access, for example:
+will have to create pserver accounts, simply add a gitcvs.authdb
+setting in the config file of the repositories you want the cvsserver
+to allow writes to, for example:
 
 ------
    
-   [gitcvs.users]
-        someuser = somepassword
-        otheruser = otherpassword
+   [gitcvs]
+        authdb = /etc/cvsserver/passwd
    
 ------
+The format of these files is username followed by the crypted password,
+for example:
+
+------
+   myuser:$1Oyx5r9mdGZ2
+   myuser:$1$BA)@$vbnMJMDym7tA32AamXrm./
+------
+You can use the 'htpasswd' facility that comes with Apache to make these
+files, but Apache's MD5 crypt method differs from the one used by most C
+library's crypt() function, so don't use the -m option.
+
 Then provide your password via the pserver method, for example:
 ------
    cvs -d:pserver:someuser:somepassword <at> server/path/repo.git co <HEAD_name>
diff --git a/git-cvsserver.perl b/git-cvsserver.perl
index 9bc2ff5..e54cbcd 100755
--- a/git-cvsserver.perl
+++ b/git-cvsserver.perl
@@ -156,24 +156,25 @@ if ($state->{method} eq 'pserver') {
 
     unless ($user eq 'anonymous') {
         # Trying to authenticate a user
-        if (not exists $cfg->{gitcvs}->{users}) {
-            print "E the repo config file needs a [gitcvs.users] section with user/password key-value pairs\n";
+        if (not exists $cfg->{gitcvs}->{authdb}) {
+            print "E the repo config file needs a [gitcvs.authdb] section with a filename\n";
             print "I HATE YOU\n";
             exit 1;
-        } elsif (exists $cfg->{gitcvs}->{users} and not exists $cfg->{gitcvs}->{users}->{$user}) {
-            #print "E the repo config file has a [gitcvs.users] section but the user $user is not defined in it\n";
+        }
+	my $auth_ok;
+	open PASSWD, "<$cfg->{gitcvs}->{authdb}" or die $!;
+	while(<PASSWD>) {
+	    if (m{^\Q$user\E:(.*)}) {
+		if (crypt($user, $1) eq $1) {
+		    $auth_ok = 1;
+		}
+	    };
+	}
+	unless ($auth_ok) {
             print "I HATE YOU\n";
             exit 1;
-        } else {
-            my $descrambled_password = descramble($password);
-            my $cleartext_password = $cfg->{gitcvs}->{users}->{$user};
-            if ($descrambled_password ne $cleartext_password) {
-                #print "E The password supplied for user $user was incorrect\n";
-                print "I HATE YOU\n";
-                exit 1;
-            }
-            # else fall through to LOVE
         }
+        # else fall through to LOVE
     }
 
     # For checking whether the user is anonymous on commit
-- 
1.5.3.5

Re: Switching to Git

[Ævar Arnfjörð Bjarmason]

On 3/6/08, Sam Vilain <sam@vilain.net> wrote:
> Ævar Arnfjörð Bjarmason wrote:
> > Yes see [1] it works but the list members wanted some tool to manage
> > passwords too which I didn't pursue since it worked for me in its
> > present form.
> >
> > 1.
> http://lists-archives.org/git/640574-authentication-support-for-pserver.html
>
> Cool, well done. Having re-read that thread, I think Martin Langhoff's
> response
> http://lists-archives.org/git/641074-authentication-support-for-pserver.html
> is the most pertinent. I didn't see any requests for an actual tool to
> be written, just that the password file be separate to the git config
> file, and/or use crypt() to store its contents. Perhaps point them at
> "htpasswd" if they want a tool :)

I was refering to http://www.spinics.net/lists/git/msg53054.html

But yes, your crypt() method should do. I made some cleanups to your
patch so it works now, you can pull the changes from
git://git.nix.is/avar/git if you'd like.

I'm submitting this to the git list again.

</wildly off-topic>

Re: Switching to Git

[Ævar Arnfjörð Bjarmason]

Sam Vilain <sam@vilain.net> writes:

> Ævar Arnfjörð Bjarmason wrote:
>> Yes see [1] it works but the list members wanted some tool to manage
>> passwords too which I didn't pursue since it worked for me in its
>> present form.
>> 
>> 1. http://lists-archives.org/git/640574-authentication-support-for-pserver.html
>
> Cool, well done.  Having re-read that thread, I think Martin Langhoff's
> response
> http://lists-archives.org/git/641074-authentication-support-for-pserver.html
> is the most pertinent.  I didn't see any requests for an actual tool to
> be written, just that the password file be separate to the git config
> file, and/or use crypt() to store its contents.  Perhaps point them at
> "htpasswd" if they want a tool :)
>
> This patch is untested and sits on top of the previous patch by Ævar.
> Pullable from git://git.catalyst.net.nz/git.git#cvsserver-auth
>
> Subject: [PATCH] git-cvsserver: use a password file cvsserver pserver
>
> If a git repository is shared via HTTP, the config file is typically
> visible.  Use an external file instead.
> ---
>  Documentation/git-cvsserver.txt |   21 ++++++++++++++++-----
>  git-cvsserver.perl              |   27 ++++++++++++++-------------
>  2 files changed, 30 insertions(+), 18 deletions(-)
>
> diff --git a/Documentation/git-cvsserver.txt b/Documentation/git-cvsserver.txt
> index 98183d4..c642f12 100644
> --- a/Documentation/git-cvsserver.txt
> +++ b/Documentation/git-cvsserver.txt
> @@ -97,16 +97,27 @@ looks like
>  ------
>  
>  Only anonymous access is provided by pserve by default. To commit you
> -will have to create pserver accounts, simply add a [gitcvs.users]
> -section to the repositories you want to access, for example:
> +will have to create pserver accounts, simply add a gitcvs.authdb
> +setting in the config file of the repositories you want the cvsserver
> +to allow writes to, for example:
>  
>  ------
>     
> -   [gitcvs.users]
> -        someuser = somepassword
> -        otheruser = otherpassword
> +   [gitcvs]
> +        authdb = /etc/cvsserver/passwd
>     
>  ------
> +The format of these files is username followed by the crypted password,
> +for example:
> +
> +------
> +   myuser:$1Oyx5r9mdGZ2
> +   myuser:$1$BA)@$vbnMJMDym7tA32AamXrm./
> +------
> +You can use the 'htpasswd' facility that comes with Apache to make these
> +files, but Apache's MD5 crypt method differs from the one used by most C
> +library's crypt() function, so don't use the -m option.
> +
>  Then provide your password via the pserver method, for example:
>  ------
>     cvs -d:pserver:someuser:somepassword <at> server/path/repo.git co <HEAD_name>
> diff --git a/git-cvsserver.perl b/git-cvsserver.perl
> index 9bc2ff5..e54cbcd 100755
> --- a/git-cvsserver.perl
> +++ b/git-cvsserver.perl
> @@ -156,24 +156,25 @@ if ($state->{method} eq 'pserver') {
>  
>      unless ($user eq 'anonymous') {
>          # Trying to authenticate a user
> -        if (not exists $cfg->{gitcvs}->{users}) {
> -            print "E the repo config file needs a [gitcvs.users] section with user/password key-value pairs\n";
> +        if (not exists $cfg->{gitcvs}->{authdb}) {
> +            print "E the repo config file needs a [gitcvs.authdb] section with a filename\n";
>              print "I HATE YOU\n";
>              exit 1;
> -        } elsif (exists $cfg->{gitcvs}->{users} and not exists $cfg->{gitcvs}->{users}->{$user}) {
> -            #print "E the repo config file has a [gitcvs.users] section but the user $user is not defined in it\n";
> +        }
> +	my $auth_ok;
> +	open PASSWD, "<$cfg->{gitcvs}->{authdb}" or die $!;
> +	while(<PASSWD>) {
> +	    if (m{^\Q$user\E:(.*)}) {
> +		if (crypt($user, $1) eq $1) {
> +		    $auth_ok = 1;
> +		}
> +	    };
> +	}
> +	unless ($auth_ok) {
>              print "I HATE YOU\n";
>              exit 1;
> -        } else {
> -            my $descrambled_password = descramble($password);
> -            my $cleartext_password = $cfg->{gitcvs}->{users}->{$user};
> -            if ($descrambled_password ne $cleartext_password) {
> -                #print "E The password supplied for user $user was incorrect\n";
> -                print "I HATE YOU\n";
> -                exit 1;
> -            }
> -            # else fall through to LOVE
>          }
> +        # else fall through to LOVE
>      }
>  
>      # For checking whether the user is anonymous on commit
> -- 
> 1.5.3.5

Ah, I didn't notice that this got crossposted, here, anyway I've cleaned
up this patch a bit and submitted it in reply to the original thread
[1].

1. http://article.gmane.org/gmane.comp.version-control.git/76446/match=bjarmason