[p4] Triggers and best practice authentication from scripts

Sweeney, Tony sweeney at ea.com
Fri Dec 1 01:40:59 PST 2006 

Per the Administrators's Guide:

"After an auth-check trigger is in place and the server restarted, the
Perforce security counter is ignored; because authentication is now
under the control of the trigger script, the server's default mechanism
for password strength requirements is redundant."

Tony.

quis custodiet ipsos custodes -- Juvenal VI, 347-8  

> -----Original Message-----
> From: perforce-user-bounces at perforce.com 
> [mailto:perforce-user-bounces at perforce.com] On Behalf Of Steven Bougon
> Sent: 30 November 2006 17:44
> To: Stephen Vance; Finn Normann Pedersen
> Cc: perforce-user at perforce.com
> Subject: Re: [p4] Triggers and best practice authentication 
> from scripts
> 
> >you can shut down the server, delete db.trigger and restart 
> the server
> This approach is also the one Perforce Support recommended when I 
> was facing the same problem (last week):
> - shut down p4d
> - mv db.trigger db.trigger.tmp
> - restart server
> - mv db.trigger.tmp db.trigger
> (since the auth check get activated after a restart only)
> 
>  
> Here too, we are trying to use the auth-check to authenticate with 
> LDAP. So far, so good, except that I wanted to have some users without
> any password at all (since p4 protect allows these users to work only
> on a certain IP which is totally secure), so I was hoping to write in 
> my script: if ($user eq "mySpecialUser) {exit(0);}
> but p4 login still prompts for a password unfortunately
> (of course, you can provide any string and "mySpecialUser" gets
> authenticated,
> but still a bummer).
> 
> So right now, we are going through the fun of:
> - users that are not in Active Directory => create accounts in ldap
> - p4 user with a different name in Active Directory => mapping
> - find a solution for all the scripts running with some p4 users
> that used to be passwordless
> 
> With the auth-check trigger, I'm not sure how relevant is the server
> security 
> level (0,1,2 or 3). Any idea ?
> 
> Steven
> -----Original Message-----
> From: perforce-user-bounces at perforce.com
> [mailto:perforce-user-bounces at perforce.com] On Behalf Of Stephen Vance
> Sent: Thursday, November 30, 2006 7:08 AM
> To: Finn Normann Pedersen
> Cc: perforce-user at perforce.com
> Subject: Re: [p4] Triggers and best practice authentication 
> from scripts
> 
> Ahhhh. If we're talking about extreme measures, you can shut down the
> server, delete db.trigger and restart the server. You could do it more
> surgically by checkpointing (directly from p4d), removing the 
> offending
> trigger line and restoring your checkpoint.
> 
> Steve
> 
> Finn Normann Pedersen wrote:
> > Hi Stephen,
> >
> > He he ... agree on paranoid defensive programming, but 
> however in this
> 
> > case when you add the auth-check trigger, the entire authentication 
> > system is hooked to an external program, which means that if my 
> > external program doesnt work for some reason (LDAP down, moved, 
> > reconfigured DN,CN) I cannot access the P4 database and remove or 
> > alter the trigger.
> >
> > That was why I asked if there was another way to remove the 
> trigger, 
> > other than "p4 triggers".
> >
> > Regards,
> >  Finn
> >
> >
> >
> > On 11/30/06, Stephen Vance <steve at vance.com> wrote:
> >>
> >>  Just implicitly by removing or replacing the trigger script.
> >>
> >>  I'd just advocate paranoid levels of defensive programming.
> >>
> >>  Steve
> >>
> >>
> >>  Finn Normann Pedersen wrote:
> >>  Thanks for all the nice replies !
> >>
> >> A related question on triggers - can you (somehow) remove triggers 
> >> without access from a super account, e.g. directly from the server.
> >> While auth-check features are nice, script errors kinda lock up 
> >> access to P4!?
> >>
> >> (and yes, I do use a test server while jinxing these scripts)
> >>
> >> Cheers,
> >>  Finn
> >>
> >>
> >> Matthew Janulewicz wrote:
> >>
> >>
> >>  I believe this is true.
> >>
> >> When I take my laptop home and log in through our VPN, I 
> get asked to
> 
> >> log in again. When I come back to work, I log in a second (third,
> >> really) time.
> >>
> >> I don't believe I have a static IP address at work, 
> though. Perhaps 
> >> it has something to do with hostname? Or maybe I'm just nuts?
> >>
> >>
> >> -Matt
> >>
> >>
> >> -----Original Message-----
> >> From: Greg Whitfield [mailto:g.whitfield at computer.org]
> >> Sent: Wednesday, November 29, 2006 1:06 PM
> >> To: 'Tetlow, Gordon'; 'Elkins, Mark'; 'Finn Normann Pedersen'
> >> Cc: perforce-user at perforce.com
> >> Subject: Re: [p4] Triggers and best practice authentication from 
> >> scripts
> >>
> >> I may be wrong on this, but I have a vague recollection that the 
> >> ticket gets reset if you login from another IP address as the same 
> >> user. If this happened then the trigger would start to 
> fail until you
> 
> >> did another p4 login from the machine upon which the triggers were 
> >> executing.
> >>
> >> Worth checking, and perhaps enforcing with the protections 
> table to 
> >> only allow your background user account access from a single IP
> address.
> >>
> >> Greg
> >> ~~~~
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: perforce-user-bounces at perforce.com
> >> [mailto:perforce-user-bounces at perforce.com] On Behalf Of Tetlow, 
> >> Gordon
> >> Sent: 29 November 2006 20:02
> >> To: Elkins, Mark; Finn Normann Pedersen
> >> Cc: perforce-user at perforce.com
> >> Subject: Re: [p4] Triggers and best practice authentication from 
> >> scripts
> >>
> >> Security level is meaningless when you have an auth trigger.
> >>
> >> You *must* use 'p4 login' when you have an auth trigger. 
> Using p4 -P 
> >> mypass doesn't work anymore.
> >>
> >> I would recommend you run your triggers as a background 
> user with a 
> >> really long timeout. Just add the user to a group with a 
> timeout of 0
> 
> >> and you should be set until 2038 or so.
> >>
> >> -gordon
> >>
> >>
> >>  _______________________________________________
> >> perforce-user mailing list - perforce-user at perforce.com 
> >> http://maillist.perforce.com/mailman/listinfo/perforce-user
> >>
> >>
> >>
> >
> _______________________________________________
> perforce-user mailing list  -  perforce-user at perforce.com
> http://maillist.perforce.com/mailman/listinfo/perforce-user
> 
> _______________________________________________
> perforce-user mailing list  -  perforce-user at perforce.com
> http://maillist.perforce.com/mailman/listinfo/perforce-user
>

More information about the perforce-user mailing list