[cvsnt] SSPI Security (was "Setting up shared repositories")
Michael.Wojcik at microfocus.com
Thu Aug 23 15:22:42 BST 2007
> From: cvsnt-bounces at cvsnt.org
> [mailto:cvsnt-bounces at cvsnt.org] On Behalf Of Glen Starrett
> Sent: Wednesday, 22 August, 2007 15:40
> Michael Wojcik wrote:
> > cvsagent listens on a TCP socket for password queries and responds
> > with cached passwords. That's hardly inaccessible to an attacker.
> We recently discussed changing that to model the PuTTY /
> Pagent method of communication (it uses Windows messages, I
> believe). I'm not sure when this is scheduled.
I haven't investigated Pagent (I use PuTTY for ssh, but manually enter
passwords each time I connect). I'll take a look.
> As always, patches are welcome and appreciated!
Yes, and this is a localized area with a well-defined interface, so it's
a good candidate for an outside patch. If I can find a little free time
I'll look into putting one together.
I should probably note that I like CVSNT, and while I do think this is a
security risk that should be addressed, it's not a showstopper. Good
system security goes a long way to mitigating it.
Principal Software Systems Developer, Micro Focus
More information about the cvsnt