Password authentication security -- CVS---Concurrent Versions System
Prev: Password authentication client
Up: Password authenticated
Top: Top
4.5.2.3. Security considerations with password authentication
The passwords are stored on the client side in a
trivial encoding of the cleartext, and transmitted in
the same encoding. The encoding is done only to
prevent inadvertent password compromises (i.e., a
system administrator accidentally looking at the file),
and will not prevent even a naive attacker from gaining
the password.
The separate cvs password file (see Password
authentication server) allows people
to use a different password for repository access than
for login access. On the other hand, once a user has
access to the repository, she can execute programs on
the server system through a variety of means. Thus, repository
access implies fairly broad system access as well. It
might be possible to modify cvs to prevent that,
but no one has done so as of this writing.
Furthermore, there may be other security problems with
cvs; it is not a simple program and determining
how people might use it to gain access to a system is
difficult.
In summary, anyone who gets the password gets
repository access, and some measure of general system
access as well. The password is available to anyone
who can sniff network packets or read a protected
(i.e., user read-only) file. If you want real
security, get Kerberos.
Prev: Password authentication client
Up: Password authenticated
Top: Top