[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: GSSAPI + CVS
From: |
Tracy Brown |
Subject: |
RE: GSSAPI + CVS |
Date: |
Sun, 25 Feb 2001 10:51:11 -0800 |
Derek -
I grabbed Assar's patch and patched my CVS-1.11 source. I'll be testing this
today. Bear Giles is looking around for his patch, it's been some year and a
half since he submitted it to the Debian folks. Here's what Bear said in
regards to the GSSAPI code:
BG> Haven't found it yet - this is the type of stuff that I normally put
BG> onto a disk in a removable tray, so those files could be in some pretty
BG> surprising places about now... ;-), but I do recall that the GSSAPI code
BG> is actually fairly localized. I seem to recall that all of the work
BG> in two procedures.
BG>
BG> Unfortunately, the real problem was that the API had changed and I had
BG> to add a few more procedure calls. It took a line-by-line comparison
BG> between the sample implementation and CVS code to get it working.
Cheers,
Tracy.
-----Original Message-----
From: Derek R. Price [mailto:derek.price@openavenue.com]
Sent: Sunday, February 25, 2001 6:23 AM
To: Tracy Brown
Cc: 'info-cvs@gnu.org'; Assar Westerlund; Jakob Schlyter;
bug-cvs@gnu.org
Subject: Re: GSSAPI + CVS
Assar, do you have any comments? From your previous patch submission it
sounds
like you have things working... Jakob?
Tracy, is it possible you could get a copy of Bear Giles/Debian's patch to
me
to look at?
I'll try to get Kerberos set up here so I can actually test this myself. :)
Derek
--
Derek Price CVS Solutions Architect (
http://CVSHome.org )
mailto:dprice@openavenue.com OpenAvenue ( http://OpenAvenue.com )
--
It does me no injury for my neighbor to say there are twenty gods or no god.
It neither picks my pocket nor breaks my leg.
- Thomas Jefferson
Tracy Brown wrote:
> After digging around for a while I've got the configuration for GSSAPI
> setup. However, I believe that there is a bug in actually using Kerberos
> (krb5-1.2.1) to authenticate users. I'm getting the following errors using
> cvs 1-11:
>
> My Kerberos environment is issuing tickets and I can bounce around the
> network on kerberized applications. For CVS, my inetd.conf for the server
is
> configured what seems to be accurately (pserver) and I've defined the
> cvs/my.cvsserver.com as a principle in the Kerberos database... note also
> that I've created a keytab for the cvs/my.cvsserver.com principle and it's
> stored in the default /etc/krb5.keytab spot.
>
> So I kinit and grab a TGT then issue my CVS command with the CVSROOT as
> ":gserver:my.cvsserver.com:/cvsroot" Here's the error I'm getting:
>
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
>
> And if I klist - I get:
> Valid starting Expires Service principal
> 02/22/01 07:37:59 02/22/01 17:37:59 krbtgt/ABILIZER.COM@ABILIZER.COM
> 02/22/01 07:38:07 02/22/01 17:37:59 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 07:38:07 02/22/01 17:37:59 cvs/my.cvsserver.com@ABILIZER.COM
>
> And if I execute a few CVS commands in sequence, I get the following:
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
> aborted]: could not acquire GSSAPI server credentials
> (cvsserver)% cvs -a co compnews
> cvs [checkout aborted]: error from server my.cvsserver.com: cvs
>
> This last error is a little strange and cryptic. Interestingly enough,
each
> time I issue a CVS command I am caching two Kerberos tickets - This
scenario
> doesn't occur when using other kerberized applications like krlogin (only
> one ticket gets cached - even when it fails).
>
> klist:
> Valid starting Expires Service principal
> 02/22/01 12:21:02 02/22/01 22:21:02 krbtgt/ABILIZER.COM@ABILIZER.COM
> 02/22/01 12:21:05 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:21:05 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:07 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:08 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:10 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
> 02/22/01 12:28:11 02/22/01 22:21:02 cvs/my.cvsserver.com@ABILIZER.COM
>
> After talking to Bear Giles - he patched cvs the 1.10.7 GSSAPI code for
the
> Debian distribution back in December 1999 - he noted that the 1.10.7
needed
> tweaking... Has the code for GSSAPI authentication been patched with any
> fixes?
>
> And for what it's worth I'd be happy to test authentication using the
GSSAPI
> using the krb5 libraries if cvs-development needs someone...
>
> Cheers, Tracy.