[cvsnt] Re: Authentication - Next best alternative to sspi

Tony Hoyle tmh at nodomain.org
Thu Apr 14 21:44:27 BST 2005


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Rick Martin wrote:
> First, let me say I'm no expert on sspi.  The way I set it up was to not put 
> the password in the login statement inside wincvs. When you first login you 
> are prompted for the password. This password is encrypted and stored in the 
> local registry. That way you don't have to login each time you start WinCVS. 
> I don't know how strong or what type of encryption is used. Perhaps Tony or 
> another developer can jump in here.

The encryption in the registry is pretty weak (it's the same encryption 
that pserver uses) but it's pretty hard to steal data out of a registry 
unless you're already authenticated as the user or an administrator (in 
both cases if a blackhat gets that far the cvs password is the least of 
your problems).

> Also, I've used Ethereal to watch the TCP packets at the server end. The 
> initial packets used to negotiate the connection are basically in plain 
> text. However,the password is not. It is encrypted. The encrypted value is 
> not the same as what is stored in the registry. Again, I didn't try to test 
> the strength of the encryption.

It's defined by Microsoft.  NTLMv2 (which anything newer that NT4 will 
use) is pretty hard to crack.  Not impossible I'm told.. If you are 
logged onto an active directory it uses Kerberos which is as good as 
impossible to crack.

Tony



More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook