[Cvsnt] SSPI and cvspass file

Tony Hoyle tmh at nothing-on.tv
Wed Feb 27 08:48:43 GMT 2002


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Brian Smith wrote:
> Tony,
>
> It seems like the current SSPI code will allow the user to store their
> domain password in .cvspass. To me, that doesn't seem like a very good
> idea because the .cvspass file becomes the a very weak link in the
> domain's security, especially for developers and administrators that
> have a lot of privileges. I can see how it would be helpful for some
> people but for me this causes a big problem (I develop software for a
> hospital so I have a ton of patient confidentiality laws and regulations
> to worry about). So, for me to be able to use CVSNT I have to have a way
> of disabling this password-storing "feature" while still allowing :sspi:
> mode to work.
>
> What do you think the best way to go about that would be?
>
Unfortunately without the password you can't authenticate onto a remote
domain,
since you're not logged in to it.  SSPI doesn't allow you to store
things like the MD5 of the password and send that, so there's no easy
way around it.

You could perhaps have a server side setting disabling 'cvs login'.  The
client won't store anything if the server rejects its attempts to login
(it'll still send the crypt()ed password over the wire but that's less
of an issue as it's a one way encryption).

Tony


_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs



More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook