info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GSSAPI + CVS


From: Tracy Brown
Subject: GSSAPI + CVS
Date: Thu, 22 Feb 2001 15:00:44 -0800

After digging around for a while I've got the configuration for GSSAPI
setup. However, I believe that there is a bug in actually using Kerberos
(krb5-1.2.1) to authenticate users. I'm getting the following errors using
cvs 1-11:

My Kerberos environment is issuing tickets and I can bounce around the
network on kerberized applications. For CVS, my inetd.conf for the server is
configured what seems to be accurately (pserver) and I've defined the
cvs/my.cvsserver.com as a principle in the Kerberos database... note also
that I've created a keytab for the cvs/my.cvsserver.com principle and it's
stored in the default /etc/krb5.keytab spot.

So I kinit and grab a TGT then issue my CVS command with the CVSROOT as
":gserver:my.cvsserver.com:/cvsroot"  Here's the error I'm getting:

cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
aborted]: could not acquire GSSAPI server credentials

And if I klist - I get:
Valid starting     Expires            Service principal
02/22/01 07:37:59  02/22/01 17:37:59  krbtgt/address@hidden
02/22/01 07:38:07  02/22/01 17:37:59  cvs/address@hidden
02/22/01 07:38:07  02/22/01 17:37:59  cvs/address@hidden

And if I execute a few CVS commands in sequence, I get the following:
(cvsserver)% cvs -a co compnews
cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
aborted]: could not acquire GSSAPI server credentials
(cvsserver)% cvs -a co compnews
cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
aborted]: could not acquire GSSAPI server credentials
(cvsserver)% cvs -a co compnews
cvs [checkout aborted]: error from server my.cvsserver.com: cvs [pserver
aborted]: could not acquire GSSAPI server credentials
(cvsserver)% cvs -a co compnews
cvs [checkout aborted]: error from server my.cvsserver.com: cvs

This last error is a little strange and cryptic. Interestingly enough, each
time I issue a CVS command I am caching two Kerberos tickets - This scenario
doesn't occur when using other kerberized applications like krlogin (only
one ticket gets cached - even when it fails).

klist:
Valid starting     Expires            Service principal
02/22/01 12:21:02  02/22/01 22:21:02  krbtgt/address@hidden
02/22/01 12:21:05  02/22/01 22:21:02  cvs/address@hidden
02/22/01 12:21:05  02/22/01 22:21:02  cvs/address@hidden
02/22/01 12:28:07  02/22/01 22:21:02  cvs/address@hidden
02/22/01 12:28:08  02/22/01 22:21:02  cvs/address@hidden
02/22/01 12:28:10  02/22/01 22:21:02  cvs/address@hidden
02/22/01 12:28:11  02/22/01 22:21:02  cvs/address@hidden


After talking to Bear Giles - he patched cvs the 1.10.7 GSSAPI code for the
Debian distribution back in December 1999 - he noted that the 1.10.7 needed
tweaking... Has the code for GSSAPI authentication been patched with any
fixes? 

And for what it's worth I'd be happy to test authentication using the GSSAPI
using the krb5 libraries if cvs-development needs someone...


Cheers, Tracy.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]