Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to firstname.lastname@example.org.
Alex, > > No again. The registry is ONLY used for storing pserver > passwords which > > are insecure anyway. > > Registry is used to save password when one issues "cvs login" command. > So, in my registry there are saved passwords for ssh and sspi. Do not issue the login command for anything other than Pserver, sspi does not need it and for ssh you should use CVSNT Password Agent. This has been discussed before, but no bug ever raised on it - I've now created bug 5184: http://customer.march-hare.com/webtools/bugzilla/ttshow_bug.cgi?tt=1&id= 5184 cvs login should only work with PSERVER - it was only ever intended to be a pserver function. Using it with SSPI and SSH is unnecessary and can lead to security problems. On windows the password is stored in HKCU/Software/CVSNT/cvspass (which is just as insecure as the original CVS storing it in $HOME/.cvspass). For SSPI the 'login' command is only needed if you are impersonating another user (which perhaps ought to be restricted somewhat anyway) and for SSH it has no benefit at all (CVSNTAGENT should be used). A test could be added - if the current username is used with SSPI (either :sspi:host:repo or :sspi:currentuser at host:repo) or used with SSH/ext then login should fail (maybe succeeds if a --no-secure-password is specified). A more milder way to 'fix' this is to 'warn' the user before writing anything to cvspass (on all platforms) "CVSNT will write your password in plain text to the cvspass file or registry - are you sure?" Does anyone know if this will break anything which shouldn't be broken anyway? Is this serious enough to be fast tracked into the next 2.5.04 RC? Regards, Arthur