[cvsnt] cvs login should only work with PSERVER (was: Trouble remotely checking out files from the CVS server)

Tony Hoyle tony.hoyle at march-hare.com
Tue Mar 25 00:23:55 GMT 2008

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.

Arthur Barrett wrote:

> Even if there is a global option (--use-cvspass ?) to allow it?  

We have a global option.. it's called the login command!  If you don't 
issue it it doesn't store passwords (there is also the corner case of 
passwords in scripts, which some do rely on)

The problem is you break every single UI out there if you change 
something so fundamental.

> The two most 'controversial' ideas I've had of late are disabling
> :local: and disabling .cvspass, and they both fall into the same
> category - they are fine for people who know what they are doing - but
> people who do not come to poor conclusions - eg: that acls don't work
> (since :local: is always admin) or that passwords are insecure.  How far
> do we go to protect people from themselves?

:local: is not always admin, but they are always the same as the logged 
in user (ie. you can't change username).  What it does do is bypass 
repository registration by using absolute paths instead of aliases - 
fixed in evs (so local behaves exactly like all other protocols now).

Passwords are more insecure than no stored passwords, but not totally 
so.  :pserver: sends them in plaintext so that increases the insecurity. 
  I've personally never had issues with people storing ssh passwords 
locally for example.

On Unix we could check/set the permissions of the cvspass file better 
(should be rw to owner only and enforced as such) but it's no less 
secure than ssh+certificates given that caveat.

The threat model is based on the idea that the client is secure but bad 
guys can sniff the link.  If you define a threat model where the client 
is compromised we have to design a whole new system of login.  cvsagent 
goes some way to handle it but doesn't really address that scenario 
directly (but even that needs timeouts to be truly useful - it should 
ditch the stored password after 5 minutes or so to avoid the 'hacked 
during lunch break' scenario).

> The question is - how much do we inconvenience the experienced people
> for the sake of the new users/people who jump to (incorrect)
> conclusions?
We need to push people more towards sspi and ssh, and make pserver a 
last resort option somehow - but I haven't thought of a way that'll do 
that without creating huge amounts of support requests.

It's also possible there's a case to disable support for non-system 
users.  This would eliminate the CVSROOT/passwd file which is a source 
of some confusion.  And make ACLMODE=Normal the default sometime (which 
IMO is why people get the idea that ACLs don't work, because by default 
they work in an opposite fashion to system ACLs).

Whether this belongs in a stable tree though is debatable.


More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook