CVS and Kerberos authentication: Howto

The Concurrent Versioning System CVS ”is an open-source version control system that keeps track of all work and all changes in a set of files, typically the implementation of a software project, and allows several (potentially widely-separated) developers to collaborate.”

CVS users can authenticate to the CVS server using gssapi/Kerberos5. Most linux/BSD distributions, however, do not include CVS binaries with Kerberos5 support. This is a howto for compiling, installing and using cvs with Kerberos authentication.

You need to follow these simple steps :

• Download heimdal Kerberos from here and Install it. (heimdal installs by default to /usr/heimdal)

• Get cvs from here (In this howto I am using version 1-12-13)

• Configure and compile cvs with gssapi support

  ./configure --with-gssapi=/usr/heimdal --enable-encryption
  make
  make install

• Add cvs service to the Kerberos KDC

 (on the KDC)
 kadmind -l add cvs/your.cvs.host@YOUR-REALM

• Export the cvs server key-tab

 (on the KDC)
 kadmind -l ext_keytab --keytab=/tmp/keytab-cvs

• Transfer /tmp/keytab-cvs to the host your.cvs.host

 (on the KDC)
 scp /tmp/keytab-cvs root@your.cvs.host:/tmp

• Copy the keytab to the system keytab in your.cvs.host

 ktutil copy /tmp/keytab-cvs /etc/krb5.keytab

• Add the following line to /etc/inetd.conf :

  cvspserver  stream  tcp  nowait  root  /usr/bin/cvs cvs --allow-root=/storage/cvsroot pserver

Change /storage/cvsroot to the path of your own CVSROOT

• Install kinit and setup /etc/krb5.conf

  apt-get install heimdal-clients 

• Setup cvs alias in your .bashrc (optional)

  alias kvs="cvs -d :gserver:$USER@your.cvs.host:/storage/cvsroot"

• Get a TGT and try it

  kinit 
  kvs co -c

Both binaries require the gssapi to be insalled in your system, for linux, you need to type

  apt-get install libgssapi4-heimdal

Labels: howto, security, Kerberos, services