From: "Carlo Marcelo Arenas Belón" <carenas@gmail.com>
To: git@vger.kernel.org
Cc: sam@vilain.net, avarab@gmail.com,
"Carlo Marcelo Arenas Belón" <carenas@gmail.com>
Subject: [PATCH 1/3] git-cvsserver: use crypt correctly to compare password hashes
Date: Wed, 15 Sep 2021 01:09:46 -0700 [thread overview]
Message-ID: <20210915080948.11891-2-carenas@gmail.com> (raw)
In-Reply-To: <20210915080948.11891-1-carenas@gmail.com>
c057bad370 (git-cvsserver: use a password file cvsserver pserver,
2010-05-15) adds a way for `git cvsserver` to provide authenticated
pserver accounts without having clear text passwords, but uses the
username instead of the password to the call for crypt(3).
Correct that, and make sure the documentation correctly indicates how
to obtain hashed passwords that could be used to populate this
configuration, as well as correcting the hash that was used for the
tests.
This change will require that any user of this feature updates the
hashes in their configuration, but has the advantage of using a more
similar format than cvs uses, probably also easying any migration.
Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
---
Documentation/git-cvsserver.txt | 10 ++++------
git-cvsserver.perl | 2 +-
t/t9400-git-cvsserver-server.sh | 4 +++-
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/Documentation/git-cvsserver.txt b/Documentation/git-cvsserver.txt
index f2e4a47ebe..4d13367c77 100644
--- a/Documentation/git-cvsserver.txt
+++ b/Documentation/git-cvsserver.txt
@@ -118,13 +118,11 @@ for example:
myuser:$1$BA)@$vbnMJMDym7tA32AamXrm./
------
You can use the 'htpasswd' facility that comes with Apache to make these
-files, but Apache's MD5 crypt method differs from the one used by most C
-library's crypt() function, so don't use the -m option.
+files, but only with the -d option (or -B if your system suports it).
-Alternatively you can produce the password with perl's crypt() operator:
------
- perl -e 'my ($user, $pass) = @ARGV; printf "%s:%s\n", $user, crypt($user, $pass)' $USER password
------
+Preferably use the system specific utility that manages password hash
+creation in your platform (e.g. mkpasswd in Linux, encrypt in OpenBSD or
+pwhash in NetBSD) and paste it in the right location.
Then provide your password via the pserver method, for example:
------
diff --git a/git-cvsserver.perl b/git-cvsserver.perl
index ed035f32c2..4c93b5d099 100755
--- a/git-cvsserver.perl
+++ b/git-cvsserver.perl
@@ -222,7 +222,7 @@
open my $passwd, "<", $authdb or die $!;
while (<$passwd>) {
if (m{^\Q$user\E:(.*)}) {
- if (crypt($user, descramble($password)) eq $1) {
+ if (crypt(descramble($password), $1) eq $1) {
$auth_ok = 1;
}
};
diff --git a/t/t9400-git-cvsserver-server.sh b/t/t9400-git-cvsserver-server.sh
index 2d29d486ee..59b40359c7 100755
--- a/t/t9400-git-cvsserver-server.sh
+++ b/t/t9400-git-cvsserver-server.sh
@@ -36,6 +36,8 @@ CVSWORK="$PWD/cvswork"
CVS_SERVER=git-cvsserver
export CVSROOT CVS_SERVER
+PWDHASH='lac2ItudM3.KM'
+
rm -rf "$CVSWORK" "$SERVERDIR"
test_expect_success 'setup' '
git config push.default matching &&
@@ -54,7 +56,7 @@ test_expect_success 'setup' '
GIT_DIR="$SERVERDIR" git config --bool gitcvs.enabled true &&
GIT_DIR="$SERVERDIR" git config gitcvs.logfile "$SERVERDIR/gitcvs.log" &&
GIT_DIR="$SERVERDIR" git config gitcvs.authdb "$SERVERDIR/auth.db" &&
- echo cvsuser:cvGVEarMLnhlA > "$SERVERDIR/auth.db"
+ echo "cvsuser:$PWDHASH" >"$SERVERDIR/auth.db"
'
# note that cvs doesn't accept absolute pathnames
--
2.33.0.481.g26d3bed244
next prev parent reply other threads:[~2021-09-15 8:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-15 8:09 [PATCH 0/3] cvsserver: correctly validate pserver passwords Carlo Marcelo Arenas Belón
2021-09-15 8:09 ` Carlo Marcelo Arenas Belón [this message]
2021-09-15 8:09 ` [PATCH 2/3] git-cvsserver: protect against NULL in crypt(3) Carlo Marcelo Arenas Belón
2021-09-16 22:11 ` Junio C Hamano
2021-09-16 22:44 ` Carlo Arenas
2021-09-17 3:43 ` Junio C Hamano
2021-09-15 8:09 ` [PATCH 3/3] Documentation: cleanup git-cvsserver Carlo Marcelo Arenas Belón
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210915080948.11891-2-carenas@gmail.com \
--to=carenas@gmail.com \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=sam@vilain.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).