DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

(cvs.info.gz) Password authentication security

Info Catalog (cvs.info.gz) Password authentication client (cvs.info.gz) Password authenticated 
 
 2.9.4.3 Security considerations with password authentication
 ............................................................
 
 The passwords are stored on the client side in a trivial encoding of
 the cleartext, and transmitted in the same encoding.  The encoding is
 done only to prevent inadvertent password compromises (i.e., a system
 administrator accidentally looking at the file), and will not prevent
 even a naive attacker from gaining the password.
 
 server::) allows people to use a different password for repository
 access than for login access.  On the other hand, once a user has
 non-read-only access to the repository, she can execute programs on the
 server system through a variety of means.  Thus, repository access
 implies fairly broad system access as well.  It might be possible to
 modify CVS to prevent that, but no one has done so as of this writing.
 
    Note that because the `$CVSROOT/CVSROOT' directory contains `passwd'
 and other files which are used to check security, you must control the
 permissions on this directory as tightly as the permissions on `/etc'.
 The same applies to the `$CVSROOT' directory itself and any directory
 above it in the tree.  Anyone who has write access to such a directory
 will have the ability to become any user on the system.  Note that
 these permissions are typically tighter than you would use if you are
 not using pserver.
 
    In summary, anyone who gets the password gets repository access
 (which may imply some measure of general system access as well).  The
 password is available to anyone who can sniff network packets or read a
 protected (i.e., user read-only) file.  If you want real security, get
 Kerberos.
Info Catalog (cvs.info.gz) Password authentication client (cvs.info.gz) Password authenticated
automatically generated byinfo2html