bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: GSSAPI + CVS


From: Tracy Brown
Subject: RE: GSSAPI + CVS
Date: Sun, 25 Feb 2001 10:51:11 -0800

Derek -

I grabbed Assar's patch and patched my CVS-1.11 source. I'll be testing this
today. Bear Giles is looking around for his patch, it's been some year and a
half since he submitted it to the Debian folks. Here's what Bear said in
regards to the GSSAPI code:

BG> Haven't found it yet - this is the type of stuff that I normally put
BG> onto a disk in a removable tray, so those files could be in some pretty
BG> surprising places about now... ;-), but I do recall that the GSSAPI code
BG> is actually fairly localized.  I seem to recall that all of the work
BG> in two procedures.
BG> 
BG> Unfortunately, the real problem was that the API had changed and I had
BG> to add a few more procedure calls.  It took a line-by-line comparison 
BG> between the sample implementation and CVS code to get it working.

Cheers,
Tracy.


-----Original Message-----
From: Derek R. Price [mailto:derek.price@openavenue.com]
Sent: Sunday, February 25, 2001 6:23 AM
To: Tracy Brown
Cc: 'info-cvs@gnu.org'; Assar Westerlund; Jakob Schlyter;
bug-cvs@gnu.org
Subject: Re: GSSAPI + CVS


Assar, do you have any comments?  From your previous patch submission it
sounds
like you  have things working...  Jakob?

Tracy, is it possible you could get a copy of Bear Giles/Debian's patch to
me
to look at?

I'll try to get Kerberos set up here so I can actually test this myself.  :)

Derek

--
Derek Price                      CVS Solutions Architect (
http://CVSHome.org )
mailto:dprice@openavenue.com     OpenAvenue ( http://OpenAvenue.com )
--
It does me no injury for my neighbor to say there are twenty gods or no god.
It neither picks my pocket nor breaks my leg.

                        - Thomas Jefferson

Tracy Brown wrote:

> After digging around for a while I've got the configuration for GSSAPI
> setup. However, I believe that there is a bug in actually using Kerberos
> (krb5-1.2.1) to authenticate users. I'm getting the following errors using
> cvs 1-11:
>
> My Kerberos environment is issuing tickets and I can bounce around the
> network on kerberized applications. For CVS, my inetd.conf for the server
is
> configured what seems to be accurately (pserver) and I've defined the
> cvs/my.cvsserver.com as a principle in the Kerberos database... note also
> that I've created a keytab for the cvs/my.cvsserver.com principle and it's
> stored in the default /etc/krb5.keytab spot.
>
> So I kinit and grab a TGT then issue my CVS command with the CVSROOT as
> ":gserver:my.cvsserver.com:/cvsroot"  Here's the error I'm getting:
>
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
>
> And if I klist - I get:
> Valid starting     Expires            Service principal
> 02/22/01 07:37:59  02/22/01 17:37:59  krbtgt/ABILIZER.COM@ABILIZER.COM
> 02/22/01 07:38:07  02/22/01 17:37:59  cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 07:38:07  02/22/01 17:37:59  cvs/my.cvsserver.com@ABILIZER.COM
>
> And if I execute a few CVS commands in sequence, I get the following:
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs
>
> This last error is a little strange and cryptic. Interestingly enough,
each
> time I issue a CVS command I am caching two Kerberos tickets - This
scenario
> doesn't occur when using other kerberized applications like krlogin (only
> one ticket gets cached - even when it fails).
>
> klist:
> Valid starting     Expires            Service principal
> 02/22/01 12:21:02  02/22/01 22:21:02  krbtgt/ABILIZER.COM@ABILIZER.COM
> 02/22/01 12:21:05  02/22/01 22:21:02  cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:21:05  02/22/01 22:21:02  cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:07  02/22/01 22:21:02  cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:08  02/22/01 22:21:02  cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:10  02/22/01 22:21:02  cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:11  02/22/01 22:21:02  cvs/my.cvsserver.com@ABILIZER.COM
>
> After talking to Bear Giles - he patched cvs the 1.10.7 GSSAPI code for
the
> Debian distribution back in December 1999 - he noted that the 1.10.7
needed
> tweaking... Has the code for GSSAPI authentication been patched with any
> fixes?
>
> And for what it's worth I'd be happy to test authentication using the
GSSAPI
> using the krb5 libraries if cvs-development needs someone...
>
> Cheers, Tracy.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]