[cvsnt] Re: Authentication - Next best alternative to sspi

Rick Martin rsmandcam at _NoSpam_At_All_sbcglobal.net
Thu Apr 14 21:15:40 BST 2005


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Hi Richard,

First, let me say I'm no expert on sspi.  The way I set it up was to not put 
the password in the login statement inside wincvs. When you first login you 
are prompted for the password. This password is encrypted and stored in the 
local registry. That way you don't have to login each time you start WinCVS. 
I don't know how strong or what type of encryption is used. Perhaps Tony or 
another developer can jump in here.
Also, I've used Ethereal to watch the TCP packets at the server end. The 
initial packets used to negotiate the connection are basically in plain 
text. However,the password is not. It is encrypted. The encrypted value is 
not the same as what is stored in the registry. Again, I didn't try to test 
the strength of the encryption.
Once, the initial negotiation is completed all subsequent packets are 
completed encrypted if you have Require Encryption turned on at your server.
So the long and short of it, the password doesn't have to be and shouldn't 
be stored anywhere in clear text. The encryption is strong enough to stop a 
causal hack attempt. I don't know if it's strong enough to stop a determined 
attack.

My .02,
Rick

"Richard Kerry" <Richard.Kerry at bbc.co.uk> wrote in message 
news:mailman.79.1113327580.460.cvsnt at cvsnt.org...

I have a CVS system that I've so far been using sspi to access.
My understanding of sspi is that it's the recommended method for an NT 
system.  It requires the users' either to have the same user-names on the 
server as they use on their local machines, or if not, that the username and 
password are included in plaintext within the CVSROOT string.
For mainly historical reasons our users generally log onto their local PCs 
and laptops with different user-names from the ones they use on the CVS 
server.  Of course they can connect to the server using sspi using the 
explicit username and password, but that seems to be a security risk as the 
server passwords are visible on many occasions, and stored in the 
recently-used CVSROOT lists in WinCvs and TortoiseCvs.

Could the list-users please recommend the best other choice for 
authentication/security.  I know that ssh and ext are avaliable and similar 
(ext being external ssh), and I'd appreciate advice on which is better. 
Also I'd like pointers to the most complete instructions on how to set up 
the system.  I've looked at the documents pointed to from the CvsNt and 
CvsGui home-pages, but the ssh sections tend to say 'consult your 
administrator', which is me.  What do I need to know about getting other 
access methods working from the server's point of view ?

Regards, Appreciatively,
Richard.

PS.  Apologies in advance for the very long signatures.
Richard Kerry
Colledia Control Engineer
Siemens Business Services - Solutions Division (Formerly BBC Technology Ltd)
Room 457 Design Building, BBC Television Centre, Wood Lane, London, W12 7RJ
T: +44 (0)20 82259063 F: +44 (0)20 8576 8182 M: +44 (0)7973 817745
Email: richard.kerry at bbc.co.uk
Website:  www.siemens.co.uk/sbs    www.siemens.co.uk/sbsmedia
This e-mail contains confidential information and is for the exclusive use 
of the addressee/s.  If you are not the addressee, then any distribution, 
copying or use of this e-mail is prohibited. If received in error, please 
advise the sender and delete it immediately.  We accept no liability for any 
loss or damage suffered by any person arising from use of this e-mail.

Siemens Business Services Limited
Registered No: 1203466 England
Registered Office: Siemens House, Oldbury, Bracknell, Berkshire, RG12 8FZ



http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain
personal views which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the
BBC monitors e-mails sent or received.
Further communication will signify your consent to this. 





More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook