This post is years late, so it’s more a reminder to me than something useful to other people. I goggled for the instructions, here’s the summary.
Goal: set up a CVS server, authenticate access with ssh, don’t give a shell to users.
Requisite: Start with a working CVS repository
Recipe: (Unix-like systems only)
- Each user creates a public/private key pair, using ssh-keygen -t dsa with an empty passphrase. This is the most important thing not to miss: the permissions of the private key file must make it accessible only to the owner; chmod 600 .ssh/id_* will do.
- The users send the public key file ~/.ssh/id_dsa.pub to the administrator of the server.
- The administator creates a user for each of them on the server (doesn’t allow login for further security) and puts a copy of the public key file in the .ssh directory of their home directories.
- The file .ssh/authorized_keys must contain the line
command=”/usr/sbin/cvs -allow-root=<cvs repository dir> server”,no-port-forwarding,no-pty,no-X11-forwarding,no-agent-forwarding dsa <the public key>= user@domain
Note the server parameter to the cvs command. The last part of the line must be pasted directly from the the public key file.
The user sets the CVSROOT environment variable and checks out the files
export CVSROOT=:ext:<email@example.com>:<path to repository>
cvs co <project>
Note that ssh firstname.lastname@example.org won’t give a shell to the users, wheter or not the administrator granted login permissions at the creation of the accounts. The cvs server command is run instead.
See http://ioctl.org/unix/cvs/server and countless other documents for the details.