This post is years late, so it’s more a reminder to me than something useful to other people. I goggled for the instructions, here’s the summary.
Goal: set up a CVS server, authenticate access with ssh, don’t give a shell to users.
Requisite: Start with a working CVS repository
Recipe: (Unix-like systems only)
- Each user creates a public/private key pair, using ssh-keygen -t dsa with an empty passphrase. This is the most important thing not to miss: the permissions of the private key file must make it accessible only to the owner; chmod 600 .ssh/id_* will do.
- The users send the public key file ~/.ssh/id_dsa.pub to the administrator of the server.
- The administator creates a user for each of them on the server (doesn’t allow login for further security) and puts a copy of the public key file in the .ssh directory of their home directories.
- The file .ssh/authorized_keys must contain the line
command=”/usr/sbin/cvs -allow-root=<cvs repository dir> server”,no-port-forwarding,no-pty,no-X11-forwarding,no-agent-forwarding dsa <the public key>= user@domain
Note the server parameter to the cvs command. The last part of the line must be pasted directly from the the public key file.
Test:
The user sets the CVSROOT environment variable and checks out the files
export CVSROOT=:ext:<user@cvs.server>:<path to repository>
cvs co <project>
Note that ssh user@cvs.server won’t give a shell to the users, wheter or not the administrator granted login permissions at the creation of the accounts. The cvs server command is run instead.
See http://ioctl.org/unix/cvs/server and countless other documents for the details.