We are soon moving to Kerberos authentication, so things will eventually look
like rsh again, but with K5 under the covers. This has the great advantage of
having no passwords floating around in the clear, and makes the access to
repositories straightforward. One need only add a principal's name to the
.k5login file, and not have to match users with originating machines.
We haven't been running cvs servers, but once we move to K5, we'll also add
pserver, for read-only access. I wouldn't use it for read-write due to
security concerns, unless you also use tcpwrappers to help control what hosts
are allowed in, modulo spoofing, of course.