Alex headshot

AlBlue’s Blog

Macs, Modularity and More

GServer support for CVS

2006 Eclipse

I wrote an extension for the CVS plugin in Eclipse to use GSSAPI (i.e. using :gserver:) in order to use existing authentication in a Kerberos setup. It's not for the faint hearted; kerberos is a beastie best left to people who have more time on their hands than patience.

You can download it from the bug 41097 report on if you've already got a kerberized CVS server set up. It currently works with 3.1 only (hey, it might with 3.2 but I'm wanting to get it working on 3.1 first, then refactor into 3.2), and it's been tested on Mac OS X so far. If you want to play around with it, and you don't have an existing CVS server setup, here's a little bit of food for thought:

  • You've got to have a Kerberos V5 server set up. The Java code doesn't support V4, and no, I'm not going to either.
  • You've got to run Java 1.4+. They added some nice libraries for GSSAPI authentication that this uses, so without that, it's not going to work. It's been tested on 1.4; it might work on 1.5 but YMMV.
  • This has only been tested on Eclipse 3.1. Whilst it's not impossible that the code will work unchanged for 3.2, I doubt it'll happen seamlessly. You never know; let me know if you get it working otherwise.
  • You have to ensure that there's a principal for the CVS server. The principal must be "cvs/", and you have to use exactly the same host name in your CVS connection later.
  • You have to export the key into a keytab, and make sure it's readable by the CVS server. The bad way of doing this is to make the keytab world-readable (it's like an /etc/shadow file). The good way of doing it is to set up group membership so that the CVS server can read from it. You can even create your own keytab specifically to hold the CVS server's key, as long as you define it in KRB5_KTNAME and make that environment variable available to your CVS server.
  • The KDC must support one of the supported types by Java, which if you're using the Sun VM consists of des-cbc-md5 des-cbc-crc des3-cbc-sha1
  • Once you've bounced everything (to make sure they all pick up the right stuff; not strictly necessary, but a sledgehammer is a good starting tool), do a kinit (to authenticate) followed by cvs -d checkout Something to see if it works. If it doesn't, there's no point in going further until it does.
  • If you've got kerberos set up, and you can access the CVS server, if you type klist you should see (at least) two tickets; one like alex@DOMAIN.COM and cvs/ Hooray! Now you're ready for the Eclipse plugin.
  • Download the plugin from bug 41907. You'll need to register if you haven't already. When it downloads, stick it in the plugins/ directory.
  • Say "THIS IS ALPHA QUALITY SOFTWARE" three times loudly to yourself, then start up Eclipse
  • Run kinit to insure that you've got a fresh TGT.
  • Go to the CVS repository screen (either by doing a New -> Project -> Checkout from CVS, or by doing New Repository from the CVS Repositories view). Enter in your hostname (exactly as before), along with the cvsroot, and select gserver as the protocol. It will currently ignore whatever password and userid you have in place, but you need to type something in the user box to allow the CVS wizard to move forwards. Then, if you're validating the connection (or browsing the existing repository) you'll see a message saying 'authenticating with gserver' and (after about 10 seconds) some activity. Longer than that, and you didn't run kinit, or there's another problem, and Eclipse is asking for the userid/password on the console (probably visible in the .log file). It will hang from here, and you'll have to kill Eclipse. What, you missed out the previous step?

There's a readme file in the Jar, along with the source code, so feel free to improve/play around with it (and preferably let me know so I can incorporate fixes etc.). I will be continuing to work on it; one major issue that I want to solve is getting the userid/password from the CVS wizard and utilising that to perform the authenticaiton if no klist has been run beforehand.

It would also be nice to know if you're using this, or you found it useful (or better still, if it didn't work and an error log) so drop me a line on the bug report or by e-mail from the README.TXT file.

More updates to follow later.