GNU Info

(cvs.info)GSSAPI authenticated

---

Next: Kerberos authenticated Prev: Password authenticated Up: Remote repositories

---

Enter node , (file) or (file)node

Direct connection with GSSAPI
-----------------------------

   GSSAPI is a generic interface to network security systems such as
Kerberos 5.  If you have a working GSSAPI library, you can have CVS
connect via a direct TCP connection, authenticating with GSSAPI.

   To do this, CVS needs to be compiled with GSSAPI support; when
configuring CVS it tries to detect whether GSSAPI libraries using
kerberos version 5 are present.  You can also use the `--with-gssapi'
flag to configure.

   The connection is authenticated using GSSAPI, but the message stream
is _not_ authenticated by default.  You must use the `-a' global option
to request stream authentication.

   The data transmitted is _not_ encrypted by default.  Encryption
support must be compiled into both the client and the server; use the
`--enable-encrypt' configure option to turn it on.  You must then use
the `-x' global option to request encryption.

   GSSAPI connections are handled on the server side by the same server
which handles the password authentication server; see Note: Password
authentication server.  If you are using a GSSAPI mechanism such as
Kerberos which provides for strong authentication, you will probably
want to disable the ability to authenticate via cleartext passwords.
To do so, create an empty `CVSROOT/passwd' password file, and set
`SystemAuth=no' in the config file (Note: config).

   The GSSAPI server uses a principal name of cvs/HOSTNAME, where
HOSTNAME is the canonical name of the server host.  You will have to
set this up as required by your GSSAPI mechanism.

   To connect using GSSAPI, use `:gserver:'.  For example,

     cvs -d :gserver:faun.example.org:/usr/local/cvsroot checkout foo