Your question is more complex that it first appears.
i) the answer depends on which version of CVS server and client you are
using, and potentially the operating system of each. Eg: CVSNT 2.8.01
on Red Hat Linux server is different to CVS 1.11.
ii) there are several different authentication protocols - the most
secure do not use any passwords sent in clear text like passwd/pserver
does. Eg: gserver, sspi, ssh (with keys), sserver (with keys) etc. For
'native' authentication you don't 'add users' to cvs, you add them to
the host operating system. Depending on the version of CVS you may be
able to use CVSROOT/passwd to 'restrict' access to CVS to some host
iii) the passwd file is primarily used by pserver protocol. Generally
as a rule of thumb, the pserver protocol is insecure and rarely
iv) if you are using pserver, you can use 'native' authentication (again
no need to add anything to CVSROOT/passwd) using SystemAuth=yes in
CVSROOT/config or you can use non-native authentication using
v) if you are user pserver, with non-native authentication and CVS 1.11
then you can either add passwd directly to the CVSROOT directory in the
server, or you can 'checkout' CVSROOT and add passwd to 'checkoutlist'
and the CVSROOT directory and 'commit' it. To generate the passwords
you'll need some tool that generates linux passwords.
vi) if you are user pserver, with non-native authentication and CVSNT
2.5 or later on linux or windows then you can use 'cvs passwd' from the
client or the server.
Implementing CVS well takes some work - I recommend you get a good book
on the subject from Amazon or your favourite technical books seller. I
had a hand in writing 'All About CVS' or there is the ever popular
'Essential CVS' or many many others.