Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Hi Richard, First, let me say I'm no expert on sspi. The way I set it up was to not put the password in the login statement inside wincvs. When you first login you are prompted for the password. This password is encrypted and stored in the local registry. That way you don't have to login each time you start WinCVS. I don't know how strong or what type of encryption is used. Perhaps Tony or another developer can jump in here. Also, I've used Ethereal to watch the TCP packets at the server end. The initial packets used to negotiate the connection are basically in plain text. However,the password is not. It is encrypted. The encrypted value is not the same as what is stored in the registry. Again, I didn't try to test the strength of the encryption. Once, the initial negotiation is completed all subsequent packets are completed encrypted if you have Require Encryption turned on at your server. So the long and short of it, the password doesn't have to be and shouldn't be stored anywhere in clear text. The encryption is strong enough to stop a causal hack attempt. I don't know if it's strong enough to stop a determined attack. My .02, Rick "Richard Kerry" <Richard.Kerry at bbc.co.uk> wrote in message news:mailman.79.1113327580.460.cvsnt at cvsnt.org... I have a CVS system that I've so far been using sspi to access. My understanding of sspi is that it's the recommended method for an NT system. It requires the users' either to have the same user-names on the server as they use on their local machines, or if not, that the username and password are included in plaintext within the CVSROOT string. For mainly historical reasons our users generally log onto their local PCs and laptops with different user-names from the ones they use on the CVS server. Of course they can connect to the server using sspi using the explicit username and password, but that seems to be a security risk as the server passwords are visible on many occasions, and stored in the recently-used CVSROOT lists in WinCvs and TortoiseCvs. Could the list-users please recommend the best other choice for authentication/security. I know that ssh and ext are avaliable and similar (ext being external ssh), and I'd appreciate advice on which is better. Also I'd like pointers to the most complete instructions on how to set up the system. I've looked at the documents pointed to from the CvsNt and CvsGui home-pages, but the ssh sections tend to say 'consult your administrator', which is me. What do I need to know about getting other access methods working from the server's point of view ? Regards, Appreciatively, Richard. PS. Apologies in advance for the very long signatures. Richard Kerry Colledia Control Engineer Siemens Business Services - Solutions Division (Formerly BBC Technology Ltd) Room 457 Design Building, BBC Television Centre, Wood Lane, London, W12 7RJ T: +44 (0)20 82259063 F: +44 (0)20 8576 8182 M: +44 (0)7973 817745 Email: richard.kerry at bbc.co.uk Website: www.siemens.co.uk/sbs www.siemens.co.uk/sbsmedia This e-mail contains confidential information and is for the exclusive use of the addressee/s. If you are not the addressee, then any distribution, copying or use of this e-mail is prohibited. If received in error, please advise the sender and delete it immediately. We accept no liability for any loss or damage suffered by any person arising from use of this e-mail. Siemens Business Services Limited Registered No: 1203466 England Registered Office: Siemens House, Oldbury, Bracknell, Berkshire, RG12 8FZ http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.