I would be nice if CVS supported PAM. In my setup, all password authentication is referred to our NT domain controllers (via the pam_smb module). Unfortunately, cvs' pserver doesn't support this.
Like Samba, the CVS protocol doesn't send an unencrypted password (you can see this by cat'ing the contents of your .cvspass file, which contains the data CVS sends). This means that support for PAM on the server wouldn't help much, as most PAM modules require a plaintext password to be useful.