:pserver: protocol
:pserver: protocol first appeared as the authentication extension
to the client-server protocol, and is now one of the most popular ways
to setup the CVS server. However, there are several deficiencies in the
:pserver: that make it extremely unsecure if used carelessly.
Primary source of insecurety is that passwords are translated in clear
text over the (untrusted) network, allowing the attacker to sniff the
passwords.
:pserver: protocol by default uses~TCP port 2401.
It must be said, however, that :pserver: could be wrapped in SSL
(Secure Sockets Layer), thus eliminating this danger and bringing the
:pserver: back to usability. Plain unprotected :pserver:
should be used only in fully trusted networks, or for unimportant tasks
such as anonymous access to repository.
The whole purpose of :pserver: is to transfer from the client to
the remote server three things: username, password, and directory where
repository resides.
The protocol front-end for :pserver: is called
`cvs-pserver'. It takes the following command line arguments:
cvs-pserver /repos1 ... /reposN -- checkpassword ...
Here the /repos1 ... /reposN is the list of
repositories that are served by that particular server. End of this
list is marked with --. If the client specifies repository not
in that list, authentication fails, and no checkpassword program
is run. After the end of list marker follows the name of
password-checking program, with its own arguments.
Go to the first, previous, next, last section, table of contents.