SUMMARY: cvs with/without pserver won't authenticate in a C2/enha nced security env

From: Georgette, Danielle <Danielle.Georgette_at_det.nsw.edu.au>
Date: Fri, 02 Aug 2002 00:44:23 +1000

Its seems this is my week to ask for reference sites and get deafening
silence :)

No replies - it seems no-one is running cvs with pserver in a C2 enabled
environment. I'm pretty surprised by this but sometimes that's how it goes.

I've bypassed pserver and it seems will have to push our developers kicking
and screaming into using ssh with public key authentication. This works and
it's the only way I can see around cvs's seeming inability to natively
authenticate users if the mechanisms are not a plain passwd file and
standard crypt.

I'd still like to hear that someone has managed to get this working, so feel
free to prove me wrong.

Danielle

-----Original Message-----
From: Georgette, Danielle
Sent: Wednesday, 31 July 2002 11:09 PM
To: 'tru64-unix-managers_at_ornl.gov'
Subject: cvs with/without pserver won't authenticate in a C2/enhanced
security env


It seems this is my week to ask for reference sites :-)

I'm attempting to migrate a cvs installation on a Tru64 5.1a pk2 to work in
an enhanced (c2) security environment and once again having a tough time of
it.

The cvs installation doesn't seem to want to touch the c2 authentication
framework, failing with different errors depending on the combination of
user and cvs authentication/CVSROOT I try:

1. Configured with a pserver passwd file containing the user and their
password as cut'n'pasted from the edauth -g output.
2. Tried having a pserver passwd file that the user was not in (which should
have prompted pserver to use the native system authentication and
/etc/passwd with what should be transparent c2).
3. Tried with no pserver passwd file (same expected result as above).
4. Tried to login using local rather than pserver.

No joy, and a different error each time. I've checked permissions, filenames
and paths, inetd.conf and /etc/services for spaces and control codes, etc
etc.

It seems the login attempts are never reaching the c2 subsystem because I
see nothing in logs or the security db about failed login attempts.

Otherwise CVS works fine, managing content as the cvs user on the local
machine works totally as expected. I can't find any information on how to
get cvs to log pserver connection attempts or verbosely tell me what its
doing when its trying to authenticate and failing. File/content change
logging during authenticated operation is all I can see on offer.
 
Does anyone have this working with c2 or have a clue what I might be doing
wrong ? Any idea how to get some meaningful logging happening ? My next step
is to use alphatrace on the binary but I thought I'd put this out to you all
and see what comes back.

root_at_node1:># su - cvs
node1.testh.det.nsw.edu.au> cvs -d
:local:cvs_at_node1.testh.det.nsw.edu.au:/path/app/cvs/mw login cvs [login
aborted]: CVSROOT cvs_at_node1.testh.det.nsw.edu.au:/path/app/cvs/mw must be an
absolute pathname

Logged in as cvs user (valid password valid account)

node1.testh.det.nsw.edu.au> cvs -d
:pserver:cvs_at_node1.testh.det.nsw.edu.au:/path/app/cvs/mw login (Logging in
to cvs_at_node1.testh.det.nsw.edu.au) CVS password:
cvs login: authorization failed: server node1.testh.det.nsw.edu.au rejected
access to /path/app/cvs/mw for user cvs

root_at_node1:># telnet localhost 2401
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

cvs [pserver aborted]: bad auth protocol start:

Connection closed by foreign host

> cvs --version

Concurrent Versions System (CVS) 1.11 (client/server)

/etc/services: cvspserver 2401/tcp # cvs pserver
/etc/inetd.conf cvspserver stream tcp nowait root /usr/local/cvs/bin/cvs cvs
--allow-root=/path/app/cvs/mw pserver

Thanks again, as always,

Danielle Georgette
Internet Systems
ITD NSW DET
Received on Thu Aug 01 2002 - 14:44:55 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:43 NZDT