[cvsnt] cvs login should only work with PSERVER (was: Trouble remotely checking out files from the CVS server)
arthur.barrett at march-hare.com
Sat Mar 22 19:42:56 GMT 2008
> > No again. The registry is ONLY used for storing pserver
> passwords which
> > are insecure anyway.
> Registry is used to save password when one issues "cvs login" command.
> So, in my registry there are saved passwords for ssh and sspi.
Do not issue the login command for anything other than Pserver, sspi
does not need it and for ssh you should use CVSNT Password Agent. This
has been discussed before, but no bug ever raised on it - I've now
created bug 5184:
cvs login should only work with PSERVER - it was only ever intended to
pserver function. Using it with SSPI and SSH is unnecessary and can
On windows the password is stored in HKCU/Software/CVSNT/cvspass (which
as insecure as the original CVS storing it in $HOME/.cvspass).
For SSPI the 'login' command is only needed if you are impersonating
user (which perhaps ought to be restricted somewhat anyway) and for SSH
no benefit at all (CVSNTAGENT should be used).
A test could be added - if the current username is used with SSPI
(either :sspi:host:repo or :sspi:currentuser at host:repo) or used with
then login should fail (maybe succeeds if a --no-secure-password is
A more milder way to 'fix' this is to 'warn' the user before writing
to cvspass (on all platforms) "CVSNT will write your password in plain
the cvspass file or registry - are you sure?"
Does anyone know if this will break anything which shouldn't be broken
anyway? Is this serious enough to be fast tracked into the next 2.5.04
More information about the cvsnt