Go to the first, previous, next, last section, table of contents.


4 How to Connect to and Authenticate Oneself to the CVS server

Connection and authentication occurs before the CVS protocol itself is started. There are several ways to connect.

server
If the client has a way to execute commands on the server, and provide input to the commands and output from them, then it can connect that way. This could be the usual rsh (port 514) protocol, Kerberos rsh, SSH, or any similar mechanism. The client may allow the user to specify the name of the server program; the default is cvs. It is invoked with one argument, server. Once it invokes the server, the client proceeds to start the cvs protocol.
kserver
The kerberized server listens on a port (in the current implementation, by having inetd call "cvs kserver") which defaults to 1999. The client connects, sends the usual kerberos authentication information, and then starts the cvs protocol. Note: port 1999 is officially registered for another use, and in any event one cannot register more than one port for CVS, so the kerberized client and server should be changed to use port 2401 (see below), and send a different string in place of `BEGIN AUTH REQUEST' to identify the authentication method in use. However, noone has yet gotten around to implementing this.
pserver
The password authenticated server listens on a port (in the current implementation, by having inetd call "cvs pserver") which defaults to 2401 (this port is officially registered). The client connects, sends the string `BEGIN AUTH REQUEST', a linefeed, the cvs root, a linefeed, the username, a linefeed, the password trivially encoded (see scramble.c in the cvs sources), a linefeed, the string `END AUTH REQUEST', and a linefeed. The client must send the identical string for cvs root both here and later in the Root request of the cvs protocol itself. Servers are encouraged to enforce this restriction. The server responds with `I LOVE YOU' and a linefeed if the authentication is successful or `I HATE YOU' and a linefeed if the authentication fails. After receiving `I LOVE YOU', the client proceeds with the cvs protocol. If the client wishes to merely authenticate without starting the cvs protocol, the procedure is the same, except `BEGIN AUTH REQUEST' is replaced with `BEGIN VERIFICATION REQUEST', `END AUTH REQUEST' is replaced with `END VERIFICATION REQUEST', and upon receipt of `I LOVE YOU' the connection is closed rather than continuing.
future possibilities
There are a nearly unlimited number of ways to connect and authenticate. One might want to allow access based on IP address (similar to the usual rsh protocol but with different/no restrictions on ports < 1024), to adopt mechanisms such as the General Security Service (GSS) API or Pluggable Authentication Modules (PAM), to allow users to run their own servers under their own usernames without root access, or any number of other possibilities. The way to add future mechanisms, for the most part, should be to continue to use port 2401, but to use different strings in place of `BEGIN AUTH REQUEST'.


Go to the first, previous, next, last section, table of contents.