[Cvsnt] Kerberos: gserver and SSPI
Brian Smith
brian-l-smith at uiowa.edu
Thu Apr 11 18:14:39 BST 2002
:gserver: works with:
Windows 2000/XP
Linux
Sun Solaris
[probably any other unix including Mac OS X]
:sspi: works with:
Windows 98/NT4/2000/XP
Both SSPI and Kerberos support encryption and message authentication.
Both SSPI and Kerberos use domain (realm) credentials to authenticate
users. Both SSPI and Kerberos support the server settings that require
the user to use encryption and/or message digests.
:gserver: always uses Kerberos (CVS can be patched to work with an
GSSAPI implementation but currently the code assumes that the GSSAPI
implementation is Kerberos). That is why it is cross-platform compatible
but doesn't work with Windows 95/98/NT.
:gserver: always uses the credentials of the currently logged on user on
the client (i.e. your domain credentials). You can use the Windows
2000/XP "runas" command to use CVS :gserver: with other credentials
(untested).
:gserver: has two implementations: one uses the MIT Kerberos
distribution and the default implementation uses the Windows 2000/XP
Kerberos SSP.
SSPI will use Kerberos if both the client and the server support it
(i.e. Client is Windows 2000/XP and Server is Windows 2000/XP).
Otherwise it will use NTLM. It actually uses the Windows authentication
negotiation mechanism (on Windows 2000/XP). That is why it is not
cross-platform but it is compatible with Windos 95/98/NT.
If you think that Kerberos is "more secure" than NTLM then you would
consider :gserver: to be "more secure" than SSPI because SSPI will let
people use NTLM. If you want to enforce Kerberos and or NTLM2 then you
have to do extra configuration in the Windows local security policy.
SSPI has a special CVSROOT form (:sspi:username[:password]@server:/host)
that allows you to specify the username and password you want to
authenticate with (when you don't want to log in with your default
credentials) on the command line without using "runas". If you use this
form, the password is saved in the client's CVS password cache (in the
registry, I believe).
In general, if all of your clients are on Windows 2000/XP then I would
prefer :gserver: over :sspi: because:
(1) I don't like NTLM
(2) It is cross-platform (so you can add Unix clients later)
(3) I made the patch to implement the
Kerberos/WindowsSSP implementation ;)
Let me know if you have more questions.
- Brian
Francis Irving wrote:
> Can somebody explain to me the difference between gserver and SSPI?
> Is there any documentation on them, or how to use them?
>
> I would like to know so I can put an appropriate description in the
> checkout dialog box for TortoiseCVS, but I'm curious anyway as I've
> never used Kerberos.
>
> Francis
> _______________________________________________
> Cvsnt mailing list
> Cvsnt at cvsnt.org
> http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
>
_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
More information about the cvsnt
mailing list