[cvsnt] Re: Kerberos implemented with CVS
Tony Hoyle
tony.hoyle at march-hare.com
Tue Nov 22 19:13:41 GMT 2005
Daryl R Hoffman wrote:
> I am writing because we are attempting to create a production repository
> and our Mid-Tier Infrastructure group has requested that if we want to
> run the client/server on a production machine, we will need to use our
> local authentication, Kerberos (K5), to authenticate our users and we
> will not be permitted to use Windows Domain or Windows registry users.
What platforms? Obviously it's easier on Win32 to use Active Directory
(although it's possible to use others, it's not something that I've ever
successfully used..).
The problem is it's impossible to do a kinit with Win32, so I'm not sure
how you're going to get around that one.
Presumably you have kerberos experts who can set you up the client and
server... it's definately nontrivial getting all the host keys etc. right.
You'd have to set the server to use a single dedicated user rather than
the login user, since the login users wouldn't exist in this case. That
has security issues for scripts and file access that you need to take
into account.
You'll also have to disable all protocols except gserver. That will
limit your choice of clients somewhat (I believe WinCVS supports it though).
Tony
More information about the cvsnt
mailing list