[cvsnt] SSPI Authentication Lifetime?

Jon McLin jmclin at andigilog.com
Sun Aug 8 20:28:27 BST 2004


When a user authenticates to CVS using SSPI, what determines the 
lifetime of the authentication?  We have observed what seems to be a 
security issue with respect to this, so I am trying to understand the 
behavior.

In our application, we have CVSNT 2.041a running on an NT4 server to 
control production software.  A limited number of users (the software 
developers) can access the repository via Windows permissions (members 
of group 'CVS Users'.

Our client software is TortoiseCVS, and, in the developers IDE, "cvs 
proxy" (scc api) from pushok software (pushok.com).  Both of these 
clients use CVS NT as the CVS component.

Here's the issue:
On a QA machine, configured as a production machine, a developer logged 
in as a non-privileged user and checked out and checked in some files 
(as part of our qualification plan).  He used his login name in CVSROOT, 
since the user logged into the PC did not have CVS privileges.  The 
first time he connected, a password dialog appeared.  Subsequent 
invocations do not result in a password dialog.  This behavior persists 
even though the non-privileged user has logged off of the machine, and 
back on.

The consequence of this is that the non-privileged user now effectively 
has full privileges on CVS.  This is a bad thing.

Why does this occur?  What is the lifetime and scope of an 
authentication in CVSNT?  Is there a way for forcibly terminate these 
privileges?

Best regards,
Jon McLin






More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook