[cvsnt] Re: Authentication - Next best alternative to sspi

[Rick Martin]

Thanks for the info, Tony.

Rick

"Tony Hoyle" <tmh at nodomain.org> wrote in message 
news:d3mknb$rah$1 at paris.nodomain.org...
> Rick Martin wrote:
>> First, let me say I'm no expert on sspi.  The way I set it up was to not 
>> put the password in the login statement inside wincvs. When you first 
>> login you are prompted for the password. This password is encrypted and 
>> stored in the local registry. That way you don't have to login each time 
>> you start WinCVS. I don't know how strong or what type of encryption is 
>> used. Perhaps Tony or another developer can jump in here.
>
> The encryption in the registry is pretty weak (it's the same encryption 
> that pserver uses) but it's pretty hard to steal data out of a registry 
> unless you're already authenticated as the user or an administrator (in 
> both cases if a blackhat gets that far the cvs password is the least of 
> your problems).
>
>> Also, I've used Ethereal to watch the TCP packets at the server end. The 
>> initial packets used to negotiate the connection are basically in plain 
>> text. However,the password is not. It is encrypted. The encrypted value 
>> is not the same as what is stored in the registry. Again, I didn't try to 
>> test the strength of the encryption.
>
> It's defined by Microsoft.  NTLMv2 (which anything newer that NT4 will 
> use) is pretty hard to crack.  Not impossible I'm told.. If you are logged 
> onto an active directory it uses Kerberos which is as good as impossible 
> to crack.
>
> Tony