[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
2.9.4 Direct connection with GSSAPI
GSSAPI is a generic interface to network security systems such as Kerberos 5. If you have a working GSSAPI library, you can have CVS connect via a direct TCP connection, authenticating with GSSAPI.
To do this, CVS needs to be compiled with GSSAPI support; when configuring CVS it tries to detect whether GSSAPI libraries using Kerberos version 5 are present. You can also use the ‘--with-gssapi’ flag to configure.
The connection is authenticated using GSSAPI, but the
message stream is not authenticated by default.
You must use the -a
global option to request
stream authentication.
The data transmitted is not encrypted by
default. Encryption support must be compiled into both
the client and the server; use the
‘--enable-encrypt’ configure option to turn it on.
You must then use the -x
global option to
request encryption.
GSSAPI connections are handled on the server side by
the same server which handles the password
authentication server; see Setting up the server for password authentication. If you are using a GSSAPI mechanism such as
Kerberos which provides for strong authentication, you
will probably want to disable the ability to
authenticate via cleartext passwords. To do so, create
an empty ‘CVSROOT/passwd’ password file, and set
SystemAuth=no
in the config file
(see section The CVSROOT/config configuration file).
The GSSAPI server uses a principal name of cvs/hostname, where hostname is the canonical name of the server host. You will have to set this up as required by your GSSAPI mechanism.
To connect using GSSAPI, use the ‘:gserver:’ method. For example,
cvs -d :gserver:faun.example.org:/usr/local/cvsroot checkout foo |