| Title | No support for Perforce "tickets" |
| Status | suspended |
| Priority | essential |
| Assigned user | Nick Barnes |
| Organization | Ravenbrook |
| Description | Using a Perforce "ticket" for the P4DTI replicator user is possible, but tedious and subject to security concerns (a ticket must be placed in the file config.py, and the replicator user would normally be given a very long ticket timeout; both of these are security weaknesses). |
| Analysis | Perforce introduced a new authentication system using "tickets" in P4 2003.2. A ticket is obtained by logging in (with "p4 login") and can be used in place of a Perforce password. This system adds some security to the plain password system because the tickets expire (in 12 hours by default; this can be set on a per-group basis). Perforce also has "security levels" for enforcing password and ticket security. Levels 0-2 control password strength; level 3 requires the use of tickets. In P4 2004.2 beta this system has become documented in the P4 SAG (chapter 3; also in "p4 help login", etc). The P4DTI can use a ticket for the replicator user, simply by specifying the ticket in place of a password in config.py. This has to be done manually by the administrator, and administrators will probably give the replicator user a very long ticket timeout value (using Perforce groups) as the replicator has no means of handling ticket expiry. An easy change would be to allow tickets to appear in an external file, which can be refreshed by the administrator without restarting the replicator. That can be done as a simple extension to the existing p4_config_file mechanism. An addition to that would be to use "p4 login -s" to determine ticket expiry and notify the administrator of an impending expiry. Ticket expiry should be handled separately from other Perforce access errors, so that a helpful error message can be generated. |
| How found | customer |
| Evidence | [1] <http://www.perforce.com/perforce/doc.042/manuals/p4sag/p4sag.pdf>, chapter 3. |
| Observed in | 2.1.2 |
| Introduced in | 2.1.0 |
| Created by | Nick Barnes |
| Created on | 2004-07-20 11:55:26 |
| Last modified by | Nick Barnes |
| Last modified on | 2018-07-05 17:28:13 |
| History | 2004-07-20 NB Created. 2018-07-05 NB Suspended because the P4DTI is obsolete. |