:pserver: protocol first appeared as the authentication extension
to the client-server protocol, and is now one of the most popular ways
to setup the CVS server. However, there are several deficiencies in the
:pserver: that make it extremely unsecure if used carelessly.
Primary source of insecurety is that passwords are translated in clear
text over the (untrusted) network, allowing the attacker to sniff the
:pserver: protocol by default uses~TCP port 2401.
It must be said, however, that
:pserver: could be wrapped in SSL
(Secure Sockets Layer), thus eliminating this danger and bringing the
:pserver: back to usability. Plain unprotected
should be used only in fully trusted networks, or for unimportant tasks
such as anonymous access to repository.
The whole purpose of
:pserver: is to transfer from the client to
the remote server three things: username, password, and directory where
The protocol front-end for
:pserver: is called
`cvs-pserver'. It takes the following command line arguments:
cvs-pserver /repos1 ... /reposN -- checkpassword ...
/repos1 ... /reposN is the list of
repositories that are served by that particular server. End of this
list is marked with
--. If the client specifies repository not
in that list, authentication fails, and no checkpassword program
is run. After the end of list marker follows the name of
password-checking program, with its own arguments.
Go to the first, previous, next, last section, table of contents.