kerberos and cvs

Charles Wilson cwilson@ece.gatech.edu
Wed Apr 2 02:09:00 GMT 2003 

Pavel Tsekov wrote:
> On Mon, 31 Mar 2003, Charles Wilson wrote:
>>However, here's the problem:
>>   1) I know nothing about kerberos.  I don't even know enough to test it.
> 
> I use CVS at work with the gserver method i.e. GSS api. At least I have a
> setup where I can test your work.

That'd be good...but I don't have cvsnt compiled just quite yet <g>.  Is 
there a kerberized telnet server around there somewhere?  kerb-rsh? 
kerb-ftp?

>>   2) I do NOT want to maintain this beastly piece of software. 
>>However, I understand it is quite popular and would probably be a 
>>welcome addition to the cygwin system.

Oh, and one other thing; it seems that Cygnus Solutions used to offer 
something called "KerbNet" which I think was a krb4 system on top of 
cygwin.  It's no longer on the Red Hat website; it seems to have gone 
the way of the dodo.  I dunno if it means anything; I just thought it 
was interesting.

>>   3) This port does NOT contain the niceties like "ssh-host-config" 
>>scripts and whatnot.  A fully-fledged cygwin port should probably 
>>install things like that, and maybe even hook into the sysvinit system 
>>that Sergey contributed.
> 
> 
> Why ? Do we want to run kerberos KDC ? I don't think so, or at least it 
> is not necessary to run kerberized cvs. The KDC in our setup is a Win2k 
> Active Directory.

Ah -- you've probably hit on why cvsnt requires kerberos.  They want it 
to work in an Active Directory domain OOB.  Which is not a bad thing...

> For cvs you only need client libs and tools.

Don't you need to set up /etc/krb5.conf even for client access?  And 
probably some sort of ~/.dotfile stuff?  Plus, if someone REALLY wants 
ktelnet to be their default, then we need to worry about providing that 
behavior -- it's obvious that krb5 telnet is *supposed* to replace 
regular telnet seamlessly in a kerberized environment [e.g. the user 
shouldn't have to remember to type 'ktelnet'].  Coordinating with 
inetutils maintainer for a structure like:

   inetutils:  itelnet.exe
   krb5:       ktelnet.exe

both packages have a postinstall script that sets up a symlink
   telnet.exe -> [ik]telnet.exe
ditto all of the other conflicting files that I renamed in the krb5 
packages (incl. man pages).  It'll take some work to coordinate that, 
assuming that the inetutils maintainer is amenable (Corinna, I guess?)

Unfortunately, even if setup.exe had a conflicts: facility (soon, but 
not yet, I think), that wouldn't help -- because krb5 actually DEPENDS 
on an inetutils (static) library.  So both must be installed (at least 
on the build machine).  So, we can't simply undo my file renames, and 
say "install either krb5 or inetutils; not both".  That's just out of 
the question.  Blech...

You probably don't need to set up a /usr/lib/krb5kdc/kdc.conf file -- 
that's specific to KDC's, right?

>>So, I put these packages up in the hope that someone will adopt them, 
>>and bring them into the cygwin fold.  If so, then I'll continue on my 
>>current track with cvsnt (which hopefully will eventually lead to 
>>functioning cvs servers...)
> 
> 
> I may be interested to maintain this of course as time allows.

That'd be cool, if you can manage it.  Like I said, I'm in no hurry 
here.  Try 'em out, let me know if they work...look at the excrescence 
that is my build script -- the tarballs aren't going anywhere.

--Chuck

More information about the Cygwin-apps mailing list