Previous section   Next section

8.5 The gserver Access Method

The gserver access method uses the GSS-API (Generic Security Service Application Programming Interface) to support authentication and encryption of the CVS connection. The GSS-API in itself does not authenticate or encrypt the connection; these processes are performed by an authentication or encryption system configured to work with the GSS-API. The most common system used with the GSS-API is Kerberos 5.

The GSS-API is explained in RFC 2743, available at http://www.ietf.org/rfc/rfc2743.txt. RFC 1964 explains how the GSS-API interacts with Kerberos 5. To use Kerberos 5 with CVS, use the GSS-API and the gserver access method. Kerberos 4 is used with the kserver access mode, explained in the next section.

The repository path format for the GSS-API is:

:gserver:[user@]hostname[:[port]]/path

The default port for gserver is 2401. If user is not specified, the client sends the username of the calling user on the client computer.

The CVS client and server must both be compiled to run the GSS-API. If you intend to encrypt the data stream, you also need to have encryption enabled at compile time. You can test whether your CVS program has the GSS-API compiled by attempting to check out a sandbox. Example 8-8 shows the result when CVS does not support the GSS-API.

Example 8-8. Testing for gserver mode
bash-2.05a$ cvs -d :gserver:cvs:/var/lib/cvs checkout wizzard
cvs checkout: CVSROOT is set for a GSS-API access method but your
cvs checkout: CVS executable doesn't support it.
cvs [checkout aborted]: Bad CVSROOT: `:gserver:cvs:/var/lib/cvs'.

You can test for encryption support by checking the options list, as shown in Example 8-9.

Example 8-9. Checking for encryption
bash-2.05a$ cvs --help-options 
CVS global options (specified before the command name) are:
.
.
.
    -x           Encrypt all net traffic.
.
.
.
(Specify the --help option for a list of other help options)

To recompile CVS to support the GSS-API, follow the instructions given below. A more detailed discussion on installing from source is provided in Chapter 2, but the examples in that discussion do not include the GSS-API.

You need to use the --with-gssapi[=directory] option to configure CVS to use the GSS-API. If you want encryption, use --enable-encrypt as well.

Check your INSTALL file for the exact syntax of configuration options in your version of CVS.

On some operating systems, the GSS-API is installed automatically. If that's the case with your system, you may need to use --without-gssapi if you don't also have Kerberos 5 available.

To compile CVS with GSS-API support:

  1. Ensure that your computer has an installation of both the GSS-API and Kerberos 5, with the header files.

  2. cd to the CVS source directory.

  3. Run make distclean to remove any cached configuration information or other remnants of previous compilations.

  4. Run configure with the arguments you need. To configure CVS for the GSS-API, you need --with-gssapi[=header files]. To enable encryption, use --enable-encrypt. The header files argument to --with-gssapi should be the path of the GSS_API directory that contains libraries and include files (or a directory above that directory).

  5. Run make.

  6. Change user to root or another privileged user.

  7. Run make install.

Check the output of configure carefully to ensure that CVS read the GSS-API include files. The output from configure is saved in config.log.

Using the GSS-API, CVS can authenticate and encrypt the data stream, but it does not do these things by default. Use the -a CVS option to authenticate the data stream, and use the -x CVS option to encrypt it. You may want to include these options in your .cvsrc file. For example, to both authenticate and encrypt the data stream, place the following in .cvsrc:

cvs -ax

To support the gserver access method, CVS needs to run a server on the computer that hosts the repository. CVS uses most of the same code to support the gserver and pserver methods. To configure the repository to run the CVS server, edit inetd.conf and add cvs pserver (not gserver). See Section 8.8 of this chapter for more information on this configuration.

Install and configure Kerberos 5, per the instructions for your Kerberos system. The principal name for CVS is cvs/HOSTNAME, where HOSTNAME is the canonical name of the host.

CVS 1.11.2 has a bug in its GSS-API code. It fails to connect and produces the following error message whenever it attempts to connect to a GSS-API server: cvs [import aborted]: gserver currently only enabled for socket connections.

Later versions do not have this problem, and there is a patch for 1.11.2 in the archives of the info-cvs mailing list.

The extent to which the GSS-API is secure depends on the particular system you choose and whether you choose to authenticate or encrypt the message stream. It's useful because of that flexibility; you can determine precisely which level of security you want. At present, the only system available to work with the GSS-API and CVS is Kerberos 5, which provides a high level of authentication security across an untrusted network, if the hosts connecting through it are secure.

Once the GSS-API and Kerberos 5 are installed and configured and CVS is recompiled, you can get a Kerberos ticket for your user on the client and then run CVS commands normally. Example 8-10 shows how to check out a sandbox using the gserver access method.

Example 8-10. Using the gserver access method
bash$ cvs -d :gserver:helit:/var/lib/cvs checkout wizzard
cvs server: Updating wizzard
U wizzard/Changelog
U wizzard/INSTALL
U wizzard/Makefile

  Previous section   Next section
Top