Copyright (C) 2000-2012 |
GNU Info (cvs.info)GSSAPI authenticatedDirect connection with GSSAPI ----------------------------- GSSAPI is a generic interface to network security systems such as Kerberos 5. If you have a working GSSAPI library, you can have CVS connect via a direct TCP connection, authenticating with GSSAPI. To do this, CVS needs to be compiled with GSSAPI support; when configuring CVS it tries to detect whether GSSAPI libraries using kerberos version 5 are present. You can also use the `--with-gssapi' flag to configure. The connection is authenticated using GSSAPI, but the message stream is _not_ authenticated by default. You must use the `-a' global option to request stream authentication. The data transmitted is _not_ encrypted by default. Encryption support must be compiled into both the client and the server; use the `--enable-encrypt' configure option to turn it on. You must then use the `-x' global option to request encryption. GSSAPI connections are handled on the server side by the same server which handles the password authentication server; see Note: Password authentication server. If you are using a GSSAPI mechanism such as Kerberos which provides for strong authentication, you will probably want to disable the ability to authenticate via cleartext passwords. To do so, create an empty `CVSROOT/passwd' password file, and set `SystemAuth=no' in the config file (Note: config). The GSSAPI server uses a principal name of cvs/HOSTNAME, where HOSTNAME is the canonical name of the server host. You will have to set this up as required by your GSSAPI mechanism. To connect using GSSAPI, use `:gserver:'. For example, cvs -d :gserver:faun.example.org:/usr/local/cvsroot checkout foo automatically generated by info2www version 1.2.2.9 |