[p4] Scripting and ticket authentication

[Jeff Grills]

In your new strategy, wouldn't the contents of the ticket file be
transferred unencrypted over the network?  And since the tickets are valid
for all IP addresses (due to the -a option to login), wouldn't that allow
anyone who snooped the network to gain the script's access to perforce from
their own machine?  That seems like a bad security hole.  Of course, you
might inherently trust your network, in which case it might not be an issue
for you.

j

-----Original Message-----
From: perforce-user-bounces at perforce.com
[mailto:perforce-user-bounces at perforce.com] On Behalf Of Shawn Hladky
Sent: Tuesday, July 17, 2007 3:48 PM
To: Bob Van Zant
Cc: perforce-user at perforce.com
Subject: Re: [p4] Scripting and ticket authentication


Currently we do the following:
use P4CONFIG files
in the p4config set P4PASSWD to a ticket value that doesn't expire for a
long time.

I've been prototyping a new strategy:
Set P4TICKETS to a centralized remote share.  Access to the share is
restricted by the system account (NT in our case) running the script. On a
secure server, run a script to update the ticket on the central server (p4
logout -a & p4 login -a) daily.

The theory behind this is that the NT accounts should already be secure, and
you'll need that secure access to get a current ticket.  The downside is
that fileshare becomes a single point of failure for the scripts, and
cross-platform stuff gets tricky.