[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Local CVS Authentication
RE: Local CVS Authentication
Tue, 1 Nov 2011 16:04:12 +0000
When you say "Active Directory will be shut down" - do you mean your access to
AD, or that all of the AD servers themselves will be shut down? You can safely
change your existing CVS implementation to GServer (GSSAPI) only, and require
that the Kerberos ticket for Auth comes from a PKI / PIV smartcard logon on the
client. This should satisfy FIPS201, and only require reconfiguring the CVS
implementation, as long as your Unix systems are already connected to Kerberos.
BeyondTrust's PBIS Open is a fully OSS client that can help on the OS side if
required, too. I've personally done CVS Pserver/GServer implementations with
PBIS (formerly Likewise Open) as part of larger security projects like you are
suggesting going through. Let me know if I can assist further.
From: address@hidden [mailto:address@hidden On Behalf Of Arthur Barrett
Sent: Monday, October 31, 2011 11:38 PM
To: Harris, Sam; address@hidden
Cc: Glen Starrett
Subject: RE: Local CVS Authentication
FIPS 201 PIV - Personal Identity Verification for the Federal Government? Ie:
an RSA key stored on a smart card accessed by a vendor specific API and a PIN
entered by the user?
I work for the vendor of CVSNT as the product manager. I recommend you contact
Glen Starrett in Memphis TN on 800-653-1501 x803. He's the technical account
manager for your area and can help with a quote and assistance with your
Version control systems are not interchangable - they support your SCCM
business process. For commercial/professional programmers that process usually
includes the need to relate one change to another based on a
job/defect/test-case etc - this is a changeset and is supported by CVSNT but
not CVS or SVN.
There are many many other features supported by the latest CVSNT that are not
supported by SVN (failsafe audit, auto merge with mergepoints, distributed
repositories etc), but what's important is that the tool has the features to
support your business process: PIV included. If you are using CVSNT today then
clearly it does support your business process.
Exactly how you configure CVSNT to work with your smartcard technology will
depend on your client operating system, CVS Server version and operating system
and the client/server protocol in use (pserver, ssh, sspi etc).
I think TortoiseCVS is irrelevant to this disucssion, it's a graphical front
end to CVSNT - the checkin/checkout/authentication/changesets/audit/reserving
etc is done by CVSNT, not by the GUI.
> -----Original Message-----
> org] On Behalf Of Harris, Sam
> Sent: Tuesday, 1 November 2011 8:40 AM
> To: 'address@hidden'
> Subject: Local CVS Authentication
> We have used Active Directory for CVS authentication for many years.
> But a new directive has been handed down that requires all
> applications to be PIV enabled. In about six weeks Active Directory
> will be disabled. We have been given two choices.
> (1) Re-Configure CVS to authenticate all users, and (2) migrate all
> CVS projects to SVN.
> We have 50 projects and 60 users and use CVSNT 2.0.58d/TortoiseCVS
> My questions
> Can CVS be PIV enable?
> Which of my two choices will be the quickest and best?
> Whenever two people meet, there are really six people present. There
> is each person as he sees himself, each person as the other person
> sees him, and each person as he really is. - William James,
> psychologist and philosopher (1842 - 1910)