Here is an explanation (excerpted from a longer story) from Tony Waite on what happens during a cvs transaction:
To see why it works, I'll describe how a single CVS transaction proceeds:
The CVS client contacts SLAC using SSH .
SLAC challenges the connection using RSA protocol (it sends the client some arbitrary string and says, essentially, "encrypt this").
The client, before encryting the transmission using the user's private key, looks to confirm the identity of the user by challenging the user for his/her pass-phrase. But wait! This user's pass-phrase is blank! OK, skip challenging the user. Encrypt the SLAC server's transmission and send it back.
SLAC decrypts the transmission using the user's public key, if it matches, the CVS client is in! From now on, the CVS client and CVS server daemon can talk to each other and do whatever they need to do.
Notice that this never did satisfy the second security condition
[SLAC accounts use AFS kerberos for validation. Ed.], but it didn't need to! The repository is in NFS space and no AFS token is
required. Notice also that at no point was the user prompted for a password (or pass-phrase).
Cool. Prompt free CVS access in client/server mode. Unfortunately there are some side-effects. Now that a user is set up with an RSA key pair,
it's possible to do an RSA authentication by accident. Suppose I'm on computer A outside the SLAC firewall and I SSH to a unix host inside the
SLAC firewall. RSA authentication is performed before password prompting. The RSA authentication succeeds. Now the user has made it past the
first security condition without ever issuing a password and ends up in a session
but without an AFS token. Easily solved of course, just issue a klog command! But I regard that as conflicting with my boundary
condition (4), i.e. meeting CVS requirements has added to the user workload when logging in normally. That's what the shard of script in
the user's login file is for. It detects the fact that the user has made it that far without an AFS token and issues the klog challenge automatically.
That slides under the wire of boundary condition (4), because of the irreducible rule: "Need an AFS token? Type a password". The only real
difference the user might notice is that the password prompt is issued at a different point during the login.
R.Dubois Last Modified: 12/13/2000 10:45