ID: 5591 Fixed in:
Issue Date: 2009-06-04 13:08 AEST Owner:  CVS Support
Last Modified:  2017-05-18 14:45 AESTReporter:  Arthur Barrett
Current Est.  0.0 hours % Complete:  0.0  
Status:NEW / Severity:enhancement

Affected:  2.5.03
Description:  enh: server: PAM - if enabled should show in 'cvs info'

Actions:    
2009-06-04 13:08 AEST by Arthur Barrett - CVSNT Server 'about' and trace should identify if built with PAM.

Currently there is no 'easy' way to tell if the PAM support is compiled in from a binary.

The code is all in cvsnt/src/server.cpp and enabled if HAVE_PAM is defined.  The functions: cvs_conv(); check_pam_password();  are only defined if  HAVE_PAM otherwise check_system_password() is defined.

The function check_password() calls check_pam_password() or check_system_password() depending on 
whether HAVE_PAM is defined and a trace message should be seen:
"Checking password using PAM"
or
"Checking password using passwd/shadow files"

Note: PAM is only used if system_auth is set (CVSROOT/config SystemAuth=1).

It'd be a lot easier if in the startup code that CVSNT just traced out:
#ifdef HAVE_PAM
        if (system_auth)
          TRACE(3,"CVSNT with PAM");
        else
#endif
          TRACE(3,"CVSNT without PAM (or SystemAuth disabled)");

And something similar on the "cvs --help" screen.

Even adding it to the "cvs ver" response would be nice (but don't want to break anything relying on the 
current format of the response).
 
2013-08-28 19:50 AEST by Arthur Barrett - 
changes subject/summary from:
CVSNT Server 'about' and trace should identify if built with PAM

to:
enh: server: PAM - if enabled should show in 'cvs info'



If CVSNT is 'built' with PAM enabled and SystemAuth is on then the server will check PAM, if not it will 
check the (local) system password only.

In CVS Suite PAM is usually enabled (if not it's probably not intentional), but there is no way to 'check' this 
easily using the software.  A server trace (ServerTraceFile) will show it during authentication because of 
this code in check_password() inside server.cpp :

#ifdef HAVE_PAM
	TRACE(3,"Checking password using PAM");
	host_user = check_pam_password (username, password);
#else
	TRACE(3,"Checking password using passwd/shadow files");
	host_user = check_system_password (username, password, user_token);
#endif


But ideally the 'info' function should also show a message, perhaps with -sv or -vr :

$ cvs info -vr localhost
Server: HPUX test (melb0020)
Version: Concurrent Versions System (CVSNT) 2.5.03 (Scorpio) Build 3428

Protocols:
  pserver

Repositories:
  /as400                        AS400 evaluation repository
  /xxzz                         /xxzz

Default repository: /as400

Default login: :pserver:localhost:/as400





$ cvs -d :pserver:localhost:/as400 info -vs
Available protocols on server:

enum                enum 2.5.03 (Scorpio) Build 3428
pserver             pserver 2.5.03 (Scorpio) Build 3428





Strictly speaking this has nothing to do with SystemAuth, so it's not really related to bugs about showing 
CVSROOT/config settings in 'cvs info' output eg:
bug 4821	CVSDIAG output enhancement
bug 5680	cvsdiag: show contents of CVSROOT/config for each installed repository
bug 5682	show aclmode for each server repository in cvs info -v -r

The trace already identifies that it is built with PAM, but it should be more readily available.

The 'cvs ver' and 'cvs --help' are definitely NOT the right place for this to go, because if there is a known 
weakness in PAM the knowledge that it is enabled is valuable to an attacker.

In fact maybe there is a reason why it should be possible to disable PAM support even if it is compiled in?


     Query page