[OpenAFS] CVS, GSSAPI, and AFS tokens

Douglas E. Engert deengert@anl.gov
Wed, 07 Nov 2007 13:26:43 -0600

Russ Allbery wrote:
> Jeff Blaine <jblaine@kickflop.net> writes:
>> How are people handling krb5 auth with CVS and also getting
>> tokens for gserver connections (GSSAPI/krb5)?
> CVS's network protocol terrifies me.  Where we're still using CVS, we just
> put the repositories directly in AFS and use AFS ACLs to control access.
> It's a bit slower, but it works.

We are doing just the opposite, use GSSAPI/Kerberos for authentication and
have CVS repositories on local disk. Its a small CVS, so don't read much
into this. CVS is on the way out, SVN looks much better.

   The same executable can function as client or server.
   It can be started from inetd as a pserver which
   also responds to a gserver. To do this,
   add to /etc/services:

   cvspserver 2401/tcp   # CVS remote server, GSSAPI or PW

   And to inetd.conf something like (all on one line):

   cvspserver stream tcp nowait root /usr/sbin/in.tcpd
      /krb5/bin/cvs -f --allow-root=/opt/cvsroot pserver

   The CVSROOT/passwrd file should be empty to force
   the use of GSSAPI with kerberos only.

   The host needs a service principal of cvs/<hostname>@<realm>

When you built cvs, add the --with-gssapi=/path/to/your/krb5

Never looked at gss delegation to get AFS token as the user.

You can also do :external with ssh which can use GSSAPI, but this
requires the users to have accounts on the server. This might be easier
to get AFS token.

Even on Windows, WinCVS can use gserver or a PuTTY with gssapi.

> You have to play some games with the LockDir configuration parameter if
> you want to provide read-only access via AFS, but it's doable.  (We've
> never needed this.)
> Subversion is a lot nicer.



  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444