Go to the first, previous, next, last section, table of contents.
Connection and authentication occurs before the CVS protocol itself is
started. There are several ways to connect.
- server
-
If the client has a way to execute commands on the server, and provide
input to the commands and output from them, then it can connect that
way. This could be the usual rsh (port 514) protocol, Kerberos rsh,
SSH, or any similar mechanism. The client may allow the user to specify
the name of the server program; the default is
cvs
. It is
invoked with one argument, server
. Once it invokes the server,
the client proceeds to start the cvs protocol.
- kserver
-
The kerberized server listens on a port (in the current implementation,
by having inetd call "cvs kserver") which defaults to 1999. The client
connects, sends the usual kerberos authentication information, and then
starts the cvs protocol. Note: port 1999 is officially registered for
another use, and in any event one cannot register more than one port for
CVS, so the kerberized client and server should be changed to use port
2401 (see below), and send a different string in place of `BEGIN
AUTH REQUEST' to identify the authentication method in use. However,
noone has yet gotten around to implementing this.
- pserver
-
The password authenticated server listens on a port (in the current
implementation, by having inetd call "cvs pserver") which defaults to
2401 (this port is officially registered). The client
connects, sends the string `BEGIN AUTH REQUEST', a linefeed, the
cvs root, a linefeed, the username, a linefeed, the password trivially
encoded (see scramble.c in the cvs sources), a linefeed, the string
`END AUTH REQUEST', and a linefeed. The client must send the
identical string for cvs root both here and later in the
Root
request of the cvs
protocol itself. Servers are encouraged to enforce this restriction.
The server responds with
`I LOVE YOU' and a linefeed if the authentication is successful or
`I HATE YOU' and a linefeed if the authentication fails. After
receiving `I LOVE YOU', the client proceeds with the cvs protocol.
If the client wishes to merely authenticate without starting the cvs
protocol, the procedure is the same, except `BEGIN AUTH REQUEST' is
replaced with `BEGIN VERIFICATION REQUEST', `END AUTH REQUEST'
is replaced with `END VERIFICATION REQUEST', and upon receipt of
`I LOVE YOU' the connection is closed rather than continuing.
- future possibilities
-
There are a nearly unlimited number of ways to connect and authenticate.
One might want to allow access based on IP address (similar to the usual
rsh protocol but with different/no restrictions on ports < 1024), to
adopt mechanisms such as the General Security Service (GSS) API or
Pluggable Authentication Modules (PAM), to allow users to run their own
servers under their own usernames without root access, or any number of
other possibilities. The way to add future mechanisms, for the most
part, should be to continue to use port 2401, but to use different
strings in place of `BEGIN AUTH REQUEST'.
Go to the first, previous, next, last section, table of contents.