[cvsnt] Re: secure cvs
Tony Hoyle
tmh at nodomain.org
Sun Aug 15 02:24:23 BST 2004
Thomas Keller wrote:
> 1) Connect to the repository from either Windows or Linux
> 2) Support for .cvspass password saving (so not :ext: where the ssh client
> needs to get the password on each action)
As soon as you store the password on the client you're already a lot
less secure than you can be. ssh is by far the best way to do this -
you do not need to enter the password on each action if it is configured
correctly - there are many setup guides for this on the net.
> I tried :sserver: but end up in always the same SSL error:
>
> 140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Check your syslog for errors. It's probably a missing/invalid certificate.
> Using :gserver: ended up in another mess:
> cvs update: GSSAPI authentication failed: Miscellaneous failure
> cvs [update aborted]: GSSAPI authentication failed: No credentials cache found
>
You'll need to have a keytab for cvs at your_domain correctly configured in
the same way as your other kerberized services. The only configuration
I know doesn't work is a Unix server on an Active Directory domain -
seems to be a limitation of Active Directory (presumably so you're
forced to run services on Windows boxes).
> :sspi: can't be used server-side IMHO since this is a Windows-only protocol,
> right?
If you have a Windows domain setup you can pass the authentication
through winbind to run it server side... there's an example config for
this in the PServer.example.
Tony
More information about the cvsnt
mailing list