[OpenAFS] CVS, GSSAPI, and AFS tokens
Douglas E. Engert
Wed, 07 Nov 2007 13:26:43 -0600
Russ Allbery wrote:
> Jeff Blaine <email@example.com> writes:
>> How are people handling krb5 auth with CVS and also getting
>> tokens for gserver connections (GSSAPI/krb5)?
> CVS's network protocol terrifies me. Where we're still using CVS, we just
> put the repositories directly in AFS and use AFS ACLs to control access.
> It's a bit slower, but it works.
We are doing just the opposite, use GSSAPI/Kerberos for authentication and
have CVS repositories on local disk. Its a small CVS, so don't read much
into this. CVS is on the way out, SVN looks much better.
The same executable can function as client or server.
It can be started from inetd as a pserver which
also responds to a gserver. To do this,
add to /etc/services:
cvspserver 2401/tcp # CVS remote server, GSSAPI or PW
And to inetd.conf something like (all on one line):
cvspserver stream tcp nowait root /usr/sbin/in.tcpd
/krb5/bin/cvs -f --allow-root=/opt/cvsroot pserver
The CVSROOT/passwrd file should be empty to force
the use of GSSAPI with kerberos only.
The host needs a service principal of cvs/<hostname>@<realm>
When you built cvs, add the --with-gssapi=/path/to/your/krb5
Never looked at gss delegation to get AFS token as the user.
You can also do :external with ssh which can use GSSAPI, but this
requires the users to have accounts on the server. This might be easier
to get AFS token.
Even on Windows, WinCVS can use gserver or a PuTTY with gssapi.
> You have to play some games with the LockDir configuration parameter if
> you want to provide read-only access via AFS, but it's doable. (We've
> never needed this.)
> Subversion is a lot nicer.
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439