[cvsnt] cvs login should only work with PSERVER (was: Trouble remotely checking out files from the CVS server)

Arthur Barrett arthur.barrett at march-hare.com
Sat Mar 22 19:42:56 GMT 2008

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


> > No again.  The registry is ONLY used for storing pserver 
> passwords which
> > are insecure anyway.
> Registry is used to save password when one issues "cvs login" command.
> So, in my registry there are saved passwords for ssh and sspi.

Do not issue the login command for anything other than Pserver, sspi
does not need it and for ssh you should use CVSNT Password Agent.  This
has been discussed before, but no bug ever raised on it - I've now
created bug 5184:

cvs login should only work with PSERVER - it was only ever intended to
be a 
pserver function.  Using it with SSPI and SSH is unnecessary and can
lead to 
security problems.

On windows the password is stored in HKCU/Software/CVSNT/cvspass (which
is just 
as insecure as the original CVS storing it in $HOME/.cvspass).  

For SSPI the 'login' command is only needed if you are impersonating
user (which perhaps ought to be restricted somewhat anyway) and for SSH
it has 
no benefit at all (CVSNTAGENT should be used).  

A test could be added - if the current username is used with SSPI 
(either :sspi:host:repo or :sspi:currentuser at host:repo) or used with
then login should fail (maybe succeeds if a --no-secure-password is

A more milder way to 'fix' this is to 'warn' the user before writing
to cvspass (on all platforms) "CVSNT will write your password in plain
text to 
the cvspass file or registry - are you sure?"

Does anyone know if this will break anything which shouldn't be broken
anyway?  Is this serious enough to be fast tracked into the next 2.5.04



More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook