[cvsnt] Re: SSPI Authentication Lifetime?

Bo Berglund bo.berglund at telia.com
Fri Aug 13 16:23:57 BST 2004


On Sun, 08 Aug 2004 12:28:27 -0700, Jon McLin <jmclin at andigilog.com>
wrote:

>Here's the issue:
>On a QA machine, configured as a production machine, a developer logged 
>in as a non-privileged user and checked out and checked in some files 
>(as part of our qualification plan).  He used his login name in CVSROOT, 
>since the user logged into the PC did not have CVS privileges.  The 
>first time he connected, a password dialog appeared.  Subsequent 
>invocations do not result in a password dialog.  This behavior persists 
>even though the non-privileged user has logged off of the machine, and 
>back on.
>
>The consequence of this is that the non-privileged user now effectively 
>has full privileges on CVS.  This is a bad thing.
>
>Why does this occur?  What is the lifetime and scope of an 
>authentication in CVSNT?  Is there a way for forcibly terminate these 
>privileges?

What happens is that you are using a connection string like this:
  :sspi:user at cvsserver:/repo
Then when you connect you have to use the cvs login command, but I
suspect that the Tortoise application handles this for you. In any
case the net result is that you supply the password for the specified
user to CVS and it is used to validate the user.
Next CVS also stores the password in the registry for the currently
logged on user such that it can be used later when another connection
is done to the same server and repository.

If you want this to stop happening you must explicitly use the cvs
logout (or possibly cvs logoff, I can't remember the exact name now)
because that will erase the password stored in the Registry.
Now the next time the server is accessed by the user a login dialogue
will appear.

Note that the password is encrypted and stored in the user part of teh
registry and so it is only valid for the user that is currently logged
in.



/Bo
(Bo Berglund, developer in Sweden)



More information about the cvsnt mailing list