cvs-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cvs-dev] Re: cvs-passwd patch

From: Mark D. Baushke
Subject: Re: [Cvs-dev] Re: cvs-passwd patch
Date: Mon, 25 Sep 2006 10:53:10 -0700 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Folks,

A few questions on security...

  1) How does a CVS aministrator disable users changing passwords if
     that is their local policy?

  2) How does a CVS administrator ensure that the 'anonymous' login (if
     any) does not have the password changed by a malicious user? This
     same question may apply to other administrative accounts such as is
     used by the wandisco folks.

  3) How does a CVS administrator detect if someone is using a
     dictionary attack against :pserver: and what records, if any, are
     to be kept that a particular user did change their password?

I think the CVSNT folks would likely have some input on this situation
as they have had a method in place for changing a password for a long
time. Tony? Have you any wisdom for us?

I suspect that #1 will need to be addressed by Prasad's additions at
some point.

        Thanks,
        -- Mark

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (FreeBSD)

iD8DBQFFGBeFCg7APGsDnFERAsFHAJ9G1FTULpHweA50585vZnFYCHOFfwCfasPt
kpt77RXx0ecSlwwPm/Oj1fs=
=tyKN
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]