Discussion:
Local CVS Authentication
Harris, Sam
2011-10-31 21:39:45 UTC
Permalink
We have used Active Directory for CVS authentication for many years. But a new directive has been handed down that requires all applications to be PIV enabled. In about six weeks Active Directory will be disabled. We have been given two choices. (1) Re-Configure CVS to authenticate all users, and (2) migrate all CVS projects to SVN.
We have 50 projects and 60 users and use CVSNT 2.0.58d/TortoiseCVS 1.8.11.

My questions
Can CVS be PIV enable?
Which of my two choices will be the quickest and best?

Sam

------------------------------------
Whenever two people meet, there are really six people present. There is each person as he sees himself, each person as the other person sees him, and each person as he really is. - William James, psychologist and philosopher (1842 - 1910)
Arthur Barrett
2011-11-01 04:38:07 UTC
Permalink
Hi Sam,

FIPS 201 PIV - Personal Identity Verification for the Federal
Government? Ie: an RSA key stored on a smart card accessed by a vendor
specific API and a PIN entered by the user?

I work for the vendor of CVSNT as the product manager. I recommend you
contact Glen Starrett in Memphis TN on 800-653-1501 x803. He's the
technical account manager for your area and can help with a quote and
assistance with your upgrade.

Version control systems are not interchangable - they support your SCCM
business process. For commercial/professional programmers that process
usually includes the need to relate one change to another based on a
job/defect/test-case etc - this is a changeset and is supported by CVSNT
but not CVS or SVN.
http://march-hare.com/cvsnt/features/changesets/

There are many many other features supported by the latest CVSNT that
are not supported by SVN (failsafe audit, auto merge with mergepoints,
distributed repositories etc), but what's important is that the tool has
the features to support your business process: PIV included. If you are
using CVSNT today then clearly it does support your business process.

Exactly how you configure CVSNT to work with your smartcard technology
will depend on your client operating system, CVS Server version and
operating system and the client/server protocol in use (pserver, ssh,
sspi etc).

I think TortoiseCVS is irrelevant to this disucssion, it's a graphical
front end to CVSNT - the
checkin/checkout/authentication/changesets/audit/reserving etc is done
by CVSNT, not by the GUI.

Regards,


Arthur Barrett
Product Manager
-----Original Message-----
org] On Behalf Of Harris, Sam
Sent: Tuesday, 1 November 2011 8:40 AM
Subject: Local CVS Authentication
We have used Active Directory for CVS authentication for many
years. But a new directive has been handed down that requires
all applications to be PIV enabled. In about six weeks Active
Directory will be disabled. We have been given two choices.
(1) Re-Configure CVS to authenticate all users, and (2)
migrate all CVS projects to SVN.
We have 50 projects and 60 users and use CVSNT
2.0.58d/TortoiseCVS 1.8.11.
My questions
Can CVS be PIV enable?
Which of my two choices will be the quickest and best?
Sam
------------------------------------
Whenever two people meet, there are really six people
present. There is each person as he sees himself, each person
as the other person sees him, and each person as he really
is. - William James, psychologist and philosopher (1842 - 1910)
Robert Auch
2011-11-01 16:04:12 UTC
Permalink
Hi Sam,

When you say "Active Directory will be shut down" - do you mean your access to AD, or that all of the AD servers themselves will be shut down? You can safely change your existing CVS implementation to GServer (GSSAPI) only, and require that the Kerberos ticket for Auth comes from a PKI / PIV smartcard logon on the client. This should satisfy FIPS201, and only require reconfiguring the CVS implementation, as long as your Unix systems are already connected to Kerberos. BeyondTrust's PBIS Open is a fully OSS client that can help on the OS side if required, too. I've personally done CVS Pserver/GServer implementations with PBIS (formerly Likewise Open) as part of larger security projects like you are suggesting going through. Let me know if I can assist further.

--
Robert Auch
BeyondTrust
***@beyondtrust.com


-----Original Message-----
From: info-cvs-bounces+rauch=***@nongnu.org [mailto:info-cvs-bounces+rauch=***@nongnu.org] On Behalf Of Arthur Barrett
Sent: Monday, October 31, 2011 11:38 PM
To: Harris, Sam; info-***@nongnu.org
Cc: Glen Starrett
Subject: RE: Local CVS Authentication

Hi Sam,

FIPS 201 PIV - Personal Identity Verification for the Federal Government? Ie: an RSA key stored on a smart card accessed by a vendor specific API and a PIN entered by the user?

I work for the vendor of CVSNT as the product manager. I recommend you contact Glen Starrett in Memphis TN on 800-653-1501 x803. He's the technical account manager for your area and can help with a quote and assistance with your upgrade.

Version control systems are not interchangable - they support your SCCM business process. For commercial/professional programmers that process usually includes the need to relate one change to another based on a job/defect/test-case etc - this is a changeset and is supported by CVSNT but not CVS or SVN.
http://march-hare.com/cvsnt/features/changesets/

There are many many other features supported by the latest CVSNT that are not supported by SVN (failsafe audit, auto merge with mergepoints, distributed repositories etc), but what's important is that the tool has the features to support your business process: PIV included. If you are using CVSNT today then clearly it does support your business process.

Exactly how you configure CVSNT to work with your smartcard technology will depend on your client operating system, CVS Server version and operating system and the client/server protocol in use (pserver, ssh, sspi etc).

I think TortoiseCVS is irrelevant to this disucssion, it's a graphical front end to CVSNT - the checkin/checkout/authentication/changesets/audit/reserving etc is done by CVSNT, not by the GUI.

Regards,


Arthur Barrett
Product Manager
-----Original Message-----
org] On Behalf Of Harris, Sam
Sent: Tuesday, 1 November 2011 8:40 AM
Subject: Local CVS Authentication
We have used Active Directory for CVS authentication for many years.
But a new directive has been handed down that requires all
applications to be PIV enabled. In about six weeks Active Directory
will be disabled. We have been given two choices.
(1) Re-Configure CVS to authenticate all users, and (2) migrate all
CVS projects to SVN.
We have 50 projects and 60 users and use CVSNT 2.0.58d/TortoiseCVS
1.8.11.
My questions
Can CVS be PIV enable?
Which of my two choices will be the quickest and best?
Sam
------------------------------------
Whenever two people meet, there are really six people present. There
is each person as he sees himself, each person as the other person
sees him, and each person as he really is. - William James,
psychologist and philosopher (1842 - 1910)
Loading...