[cvsnt] Re: Kerberos implemented with CVS

[Daryl R Hoffman]

At 02:13 PM 11/22/2005, Tony Hoyle wrote:
>Daryl R Hoffman wrote:
>>I am writing because we are attempting to create a production 
>>repository and our Mid-Tier Infrastructure group has requested that 
>>if we want to run the client/server on a production machine, we 
>>will need to use our local authentication, Kerberos (K5), to 
>>authenticate our users and we will not be permitted to use Windows 
>>Domain or Windows registry users.
>
>What platforms?  Obviously it's easier on Win32 to use Active 
>Directory (although it's possible to use others, it's not something 
>that I've ever successfully used..).

We are using Windows 2000 and Windows 2003 servers.  We know it is 
probably easier, unfortunately, we did not make the choice, others at 
the University did.

>The problem is it's impossible to do a kinit with Win32, so I'm not 
>sure how you're going to get around that one.
>
>Presumably you have kerberos experts who can set you up the client 
>and server...  it's definately nontrivial getting all the host keys etc. right.
>
>You'd have to set the server to use a single dedicated user rather 
>than the login user, since the login users wouldn't exist in this 
>case.  That has security issues for scripts and file access that you 
>need to take into account.
>
>You'll also have to disable all protocols except gserver.  That will 
>limit your choice of clients somewhat (I believe WinCVS supports it though).
>
>Tony


We have had issues with Open Source and vendor supplied products in 
the past because of the way our LDAP and security are implemented, so 
this is not new.  But I do appreciate the response and we will 
continue to investigate ways to solve this issue.  Our server people 
are worried about maintaining a Windows registry of 100+ developers, 
but so far, we have not been able to find a CVS implementation that 
will make this easier and put the server people at ease.

Thanks again

Daryl