[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: about cvs password
|
From: |
Mark D. Baushke |
|
Subject: |
Re: about cvs password |
|
Date: |
Fri, 03 Mar 2006 16:48:12 -0800 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PJP <address@hidden> writes:
> Hello there,
> I know this is a very trivial question to ask here, but still...,
> 1. Can a cvs user change her password using cvsclient
> (command line client)?
I presume you mean the password used by the :pserver: protocol? If true,
the no cvs does not provide a way to modify the $CVSROOT/passwd file or
to connect to the PAM server if that is how the user passwords are being
resolved.
> 2. If cann't, why ??
For one thing, there is no tcp security against injection attacks. So,
there is no secure way that CVS could protect against someone hacking
into the running TCP connection and changing your password. Any
eavesdropper on the connection can already steal your password in any
case.
In addition, for :pserver: the password travels in the clear from the
client to the server. If you want security, then use :ext: and manage
passwords using normal host-provided utilities. Anyone who thinks that a
:pserver: password is safe and that changing the password is worthwhile
is kidding themselves.
All that said, I believe that CVSNT has lots of different ways to manage
passwords and they may have just the thing you want. It is also GPL open
source and runs on most of the hardware that CVS runs.
Enjoy!
-- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQFECOPMCg7APGsDnFERAo1RAJ9aiEwo565ZvR7nz+mFycG0nC8gHQCggeYy
euxUsgVaG/nxnUlAucGDMGw=
=6qbr
-----END PGP SIGNATURE-----