8.6. The gserver Access MethodThe gserver access method uses the GSS-API (Generic Security Service Application Programming Interface) to support authentication and encryption of the CVS connection. The GSS-API in itself does not authenticate or encrypt the connection; these processes are performed by an authentication or encryption system configured to work with the GSS-API. The most common system used with the GSS-API is Kerberos 5. The GSS-API is explained in RFC 2743, available at http://www.ietf.org/rfc/rfc2743.txt. RFC 1964 explains how the GSS-API interacts with Kerberos 5. To use Kerberos 5 with CVS, use the GSS-API and the gserver access method. Kerberos 4 is used with the kserver access mode, explained in the next section. The repository path format for the GSS-API is: :gserver:[user@]hostname[:[port]]/path The default port for gserver is 2401. If user is not specified, the client sends the username of the calling user on the client computer. The CVS client and server must both be compiled to run the GSS-API. If you intend to encrypt the data stream, you also need to have encryption enabled at compile time. You can test whether your CVS program has the GSS-API compiled by attempting to check out a sandbox. Example 8-8 shows the result when CVS does not support the GSS-API. Example 8-8. Testing for gserver mode
You can test for encryption support by checking the options list, as shown in Example 8-9. Example 8-9. Checking for encryption
To recompile CVS to support the GSS-API, see the following instructions. A more detailed discussion on installing from source is provided in Chapter 2, but the examples in that discussion do not include the GSS-API. You need to use the --with-gssapi[=directory] option to configure CVS to use the GSS-API. If you want encryption, use --enable-encrypt as well.
To compile CVS with GSS-API support:
Using the GSS-API, CVS can authenticate and encrypt the data stream, but it does not do these things by default. Use the -a CVS option to authenticate the data stream, and use the -x CVS option to encrypt it. You may want to include these options in your .cvsrc file. For example, to both authenticate and encrypt the data stream, place the following in .cvsrc: cvs -ax To support the gserver access method, CVS needs to run a server on the computer that hosts the repository. CVS uses most of the same code to support the gserver and pserver methods. To configure the repository to run the CVS server, edit inetd.conf and add cvs pserver (not gserver). See "Using inetd with gserver, kserver, and pserver" later in this chapter for more information on this configuration. Install and configure Kerberos 5, per the instructions for your Kerberos system. The principal name for CVS is cvs/HOSTNAME, where HOSTNAME is the canonical name of the host.
The extent to which the GSS-API is secure depends on the particular system you choose and whether you choose to authenticate or encrypt the message stream. It's useful because of that flexibility: you can determine precisely which level of security you want. At present, the only system available to work with the GSS-API and CVS is Kerberos 5, which provides a high level of authentication security across an untrusted network, if the hosts connecting through it are secure. Once the GSS-API and Kerberos 5 are installed and configured and CVS is recompiled, you can get a Kerberos ticket for your user on the client and then run CVS commands normally. Example 8-10 shows how to check out a sandbox using the gserver access method. Example 8-10. Using the gserver access method
|