I would be nice if CVS supported PAM.
In my setup, all password authentication is referred to our NT
domain controllers (via the pam_smb module). Unfortunately,
cvs' pserver doesn't support this.
Like Samba, the CVS protocol doesn't send an unencrypted
password (you can see this by cat'ing the contents of your
.cvspass file, which contains the data CVS sends). This means
that support for PAM on the server wouldn't help much, as most
PAM modules require a plaintext password to be useful.