[Cvsnt] SSPI and cvspass file
tmh at nothing-on.tv
Wed Feb 27 08:48:43 GMT 2002
Brian Smith wrote:
> It seems like the current SSPI code will allow the user to store their
> domain password in .cvspass. To me, that doesn't seem like a very good
> idea because the .cvspass file becomes the a very weak link in the
> domain's security, especially for developers and administrators that
> have a lot of privileges. I can see how it would be helpful for some
> people but for me this causes a big problem (I develop software for a
> hospital so I have a ton of patient confidentiality laws and regulations
> to worry about). So, for me to be able to use CVSNT I have to have a way
> of disabling this password-storing "feature" while still allowing :sspi:
> mode to work.
> What do you think the best way to go about that would be?
Unfortunately without the password you can't authenticate onto a remote
since you're not logged in to it. SSPI doesn't allow you to store
things like the MD5 of the password and send that, so there's no easy
way around it.
You could perhaps have a server side setting disabling 'cvs login'. The
client won't store anything if the server rejects its attempts to login
(it'll still send the crypt()ed password over the wire but that's less
of an issue as it's a one way encryption).
Cvsnt mailing list
Cvsnt at cvsnt.org
More information about the cvsnt