How to Connect to and Authenticate Oneself to the CVS server
************************************************************

   Connection and authentication occurs before the CVS protocol itself
is started.  There are several ways to connect.

server
     If the client has a way to execute commands on the server, and
     provide input to the commands and output from them, then it can
     connect that way.  This could be the usual rsh (port 514)
     protocol, Kerberos rsh, SSH, or any similar mechanism.  The client
     may allow the user to specify the name of the server program; the
     default is `cvs'.  It is invoked with one argument, `server'.
     Once it invokes the server, the client proceeds to start the cvs
     protocol.

kserver
     The kerberized server listens on a port (in the current
     implementation, by having inetd call "cvs kserver") which defaults
     to 1999.  The client connects, sends the usual kerberos
     authentication information, and then starts the cvs protocol.
     Note: port 1999 is officially registered for another use, and in
     any event one cannot register more than one port for CVS, so the
     kerberized client and server should be changed to use port 2401
     (see below), and send a different string in place of `BEGIN AUTH
     REQUEST' to identify the authentication method in use.  However,
     noone has yet gotten around to implementing this.

pserver
     The password authenticated server listens on a port (in the current
     implementation, by having inetd call "cvs pserver") which defaults
     to 2401 (this port is officially registered).  The client
     connects, sends the string `BEGIN AUTH REQUEST', a linefeed, the
     cvs root, a linefeed, the username, a linefeed, the password
     trivially encoded (see scramble.c in the cvs sources), a linefeed,
     the string `END AUTH REQUEST', and a linefeed.  The client must
     send the identical string for cvs root both here and later in the
     `Root' request of the cvs protocol itself.  Servers are encouraged
     to enforce this restriction.  The server responds with `I LOVE
     YOU' and a linefeed if the authentication is successful or `I HATE
     YOU' and a linefeed if the authentication fails.  After receiving
     `I LOVE YOU', the client proceeds with the cvs protocol.  If the
     client wishes to merely authenticate without starting the cvs
     protocol, the procedure is the same, except `BEGIN AUTH REQUEST' is
     replaced with `BEGIN VERIFICATION REQUEST', `END AUTH REQUEST' is
     replaced with `END VERIFICATION REQUEST', and upon receipt of `I
     LOVE YOU' the connection is closed rather than continuing.

future possibilities
     There are a nearly unlimited number of ways to connect and
     authenticate.  One might want to allow access based on IP address
     (similar to the usual rsh protocol but with different/no
     restrictions on ports < 1024), to adopt mechanisms such as the
     General Security Service (GSS) API or Pluggable Authentication
     Modules (PAM), to allow users to run their own servers under their
     own usernames without root access, or any number of other
     possibilities.  The way to add future mechanisms, for the most
     part, should be to continue to use port 2401, but to use different
     strings in place of `BEGIN AUTH REQUEST'.