[cvsnt] SSPI Security (was "Setting up shared repositories")

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Aug 23 15:22:42 BST 2007


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


> From: cvsnt-bounces at cvsnt.org 
> [mailto:cvsnt-bounces at cvsnt.org] On Behalf Of Glen Starrett
> Sent: Wednesday, 22 August, 2007 15:40
> 
> Michael Wojcik wrote:
> > cvsagent listens on a TCP socket for password queries and responds 
> > with cached passwords.  That's hardly inaccessible to an attacker.
> 
> We recently discussed changing that to model the PuTTY / 
> Pagent method of communication (it uses Windows messages, I 
> believe).  I'm not sure when this is scheduled.

I haven't investigated Pagent (I use PuTTY for ssh, but manually enter
passwords each time I connect).  I'll take a look.

> As always, patches are welcome and appreciated!

Yes, and this is a localized area with a well-defined interface, so it's
a good candidate for an outside patch.  If I can find a little free time
I'll look into putting one together.

I should probably note that I like CVSNT, and while I do think this is a
security risk that should be addressed, it's not a showstopper.  Good
system security goes a long way to mitigating it.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus


More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook