[cvsnt] Re: SSPI Authentication Lifetime?
Tony Hoyle
tmh at nodomain.org
Sun Aug 8 21:41:22 BST 2004
Jon McLin wrote:
> When a user authenticates to CVS using SSPI, what determines the
> lifetime of the authentication? We have observed what seems to be a
> security issue with respect to this, so I am trying to understand the
> behavior.
There is no lifetime as such, it's just the permissions of the logged on
user defined by the system.
> since the user logged into the PC did not have CVS privileges. The
> first time he connected, a password dialog appeared. Subsequent
> invocations do not result in a password dialog. This behavior persists
> even though the non-privileged user has logged off of the machine, and
> back on.
This sounds like a client issue. CVSNT does not issue password dialogs
(except the proxy, and that's only for the lifetime of the login session
and isn't usually used for SSPI).
You should never get any kind of password prompt for SSPI as it uses the
logged in credentials.
> Why does this occur? What is the lifetime and scope of an
> authentication in CVSNT? Is there a way for forcibly terminate these
> privileges?
This isn't a CVSNT issue - you have configured your software to ask for
passwords and store them... this isn't a good idea in a secure environment.
Tony
More information about the cvsnt
mailing list