Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Brian Smith wrote: > Tony, > > It seems like the current SSPI code will allow the user to store their > domain password in .cvspass. To me, that doesn't seem like a very good > idea because the .cvspass file becomes the a very weak link in the > domain's security, especially for developers and administrators that > have a lot of privileges. I can see how it would be helpful for some > people but for me this causes a big problem (I develop software for a > hospital so I have a ton of patient confidentiality laws and regulations > to worry about). So, for me to be able to use CVSNT I have to have a way > of disabling this password-storing "feature" while still allowing :sspi: > mode to work. > > What do you think the best way to go about that would be? > Unfortunately without the password you can't authenticate onto a remote domain, since you're not logged in to it. SSPI doesn't allow you to store things like the MD5 of the password and send that, so there's no easy way around it. You could perhaps have a server side setting disabling 'cvs login'. The client won't store anything if the server rejects its attempts to login (it'll still send the crypt()ed password over the wire but that's less of an issue as it's a one way encryption). Tony _______________________________________________ Cvsnt mailing list Cvsnt at cvsnt.org http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs