[cvsnt] Re: SSPI Authentication Lifetime?

Tony Hoyle tmh at nodomain.org
Sun Aug 8 21:41:22 BST 2004


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Jon McLin wrote:
> When a user authenticates to CVS using SSPI, what determines the 
> lifetime of the authentication?  We have observed what seems to be a 
> security issue with respect to this, so I am trying to understand the 
> behavior.

There is no lifetime as such, it's just the permissions of the logged on 
user defined by the system.

> since the user logged into the PC did not have CVS privileges.  The 
> first time he connected, a password dialog appeared.  Subsequent 
> invocations do not result in a password dialog.  This behavior persists 
> even though the non-privileged user has logged off of the machine, and 
> back on.

This sounds like a client issue.  CVSNT does not issue password dialogs 
(except the proxy, and that's only for the lifetime of the login session 
and isn't usually used for SSPI).

You should never get any kind of password prompt for SSPI as it uses the 
logged in credentials.

> Why does this occur?  What is the lifetime and scope of an 
> authentication in CVSNT?  Is there a way for forcibly terminate these 
> privileges?

This isn't a CVSNT issue - you have configured your software to ask for 
passwords and store them... this isn't a good idea in a secure environment.

Tony



More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook