ID: 6775 Fixed in:
Issue Date: 2014-08-06 05:25 AEST Owner:  CVS Support
Last Modified:  2014-08-06 04:25 AESTReporter:  Glen Starrett
Current Est.  0.0 hours % Complete:  0.0  
Status:NEW / Severity:normal

Affected:  2.8.01
Description:  "passwd -a" instructions leave login open with no password

Actions:    
2014-08-06 05:25 AEST by Glen Starrett - There is a security bug that, by following the eBook instructs, the user
inadvertently opens themselves up to.


In the eBook section "Limiting user access with sspi", it instructs users to:
>>>>
So simply issuing this command when logged in as a CVS administrator will work
cvs passwd -a newuser
<<<<

However, if someone attempts to connect with pserver (and possibly other
protocols, e.g. sserver) then they can do so without a password:

This first section is the correct behavior when using SSPI with SystemAuth=no
and the user has been added to CVSROOT/passwd with "cvs passwd -a admin" and no
password.
>>>>
C:\Users\Glen Starrett\Documents>cvs -d :sspi:admin@w2008r2x64:/myrepo logout
Logging out of :sspi:admin@w2008r2x64:2401:/myrepo

C:\Users\Glen Starrett\Documents>cvs -d :sspi:admin@w2008r2x64:/myrepo ls
cvs [ls aborted]: authorization failed: server w2008r2x64 rejected access to /my
repo for user admin

C:\Users\Glen Starrett\Documents>cvs -d :sspi:admin@w2008r2x64:/myrepo login
Logging in to :sspi:admin@w2008r2x64:2401:/myrepo
CVS Password:

C:\Users\Glen Starrett\Documents>cvs -d :sspi:admin@w2008r2x64:/myrepo ls
Listing modules on server

CVSROOT
testcvs

C:\Users\Glen Starrett\Documents>cvs -d :sspi:admin@w2008r2x64:/myrepo logout
Logging out of :sspi:admin@w2008r2x64:2401:/myrepo
<<<<


This section shows the problem:  I can perform commands on the server with no
password at all:
>>>>
C:\Users\Glen Starrett\Documents>cvs -d :pserver:admin@w2008r2x64:/myrepo logout

Logging out of :pserver:admin@w2008r2x64:2401:/myrepo

C:\Users\Glen Starrett\Documents>cvs -d :pserver:admin@w2008r2x64:/myrepo ls
Empty password used - try 'cvs login' with a real password
Listing modules on server

CVSROOT
testcvs
<<<<


This method works as well, which is the "correct" method (logging in with the
password via pserver).
>>>>
C:\Users\Glen Starrett\Documents>cvs -d :pserver:admin@w2008r2x64:/myrepo login
Logging in to :pserver:admin@w2008r2x64:2401:/myrepo
CVS Password:

C:\Users\Glen Starrett\Documents>cvs -d :pserver:admin@w2008r2x64:/myrepo ls
Listing modules on server

CVSROOT
testcvs

C:\Users\Glen Starrett\Documents>cvs -d :pserver:admin@w2008r2x64:/myrepo logout

Logging out of :pserver:admin@w2008r2x64:2401:/myrepo
<<<<


Additional information:  If I set the password with "cvs -a admin" to something
different than their PASSWOD, e.g. ALTPASSWORD, then:
* pserver login requires ALTPASSWORD.
* SSPI works with no login if the user is logged into windows with the account
PASSWORD.
* SSPI login requires PASSWORD.
* The user cannot connect with the server without a password for pserver.


     Query page