ID: 5184 Fixed in:2.5.04, 3236
Issue Date: 2008-03-23 06:39 AEST Owner:  CVS Support
Last Modified:  2015-06-11 11:19 AESTReporter:  Arthur Barrett
Current Est.  0.0 hours % Complete:  0.0  
Status:NEW / Severity:normal

Affected:  2.5.04
Description:  cvs login should only work with PSERVER, user should be warned about cvspass

Actions:    
2008-03-23 06:39 AEST by Arthur Barrett - cvs login should only work with PSERVER - it was only ever intended to be a 
pserver function.  Using it with SSPI and SSH is unnecessary and can lead to 
security problems.

On windows the password is stored in HKCU/Software/CVSNT/cvspass (which is just 
as insecure as the original CVS storing it in $HOME/.cvspass).  

For SSPI the 'login' command is only needed if you are impersonating another 
user (which perhaps ought to be restricted somewhat anyway) and for SSH it has 
no benefit at all (CVSNTAGENT should be used).  

A test could be added - if the current username is used with SSPI 
(either :sspi:host:repo or :sspi:currentuser@host:repo) or used with SSH/ext 
then login should fail (maybe succeeds if a --no-secure-password is specified).

A more milder way to 'fix' this is to 'warn' the user before writing anything 
to cvspass (on all platforms) "CVSNT will write your password in plain text to 
the cvspass file or registry - are you sure?"


     Query page