Technology and Software

Securing a CVS server with ssh

This post is years late, so it’s more a reminder to me than something useful to other people. I goggled for the instructions, here’s the summary.

Goal: set up a CVS server, authenticate access with ssh, don’t give a shell to users.

Requisite: Start with a working CVS repository

Recipe: (Unix-like systems only)

  1. Each user creates a public/private key pair, using ssh-keygen -t dsa with an empty passphrase. This is the most important thing not to miss: the permissions of the private key file must make it accessible only to the owner; chmod 600 .ssh/id_* will do.
  2. The users send the public key file ~/.ssh/ to the administrator of the server.
  3. The administator creates a user for each of them on the server (doesn’t allow login for further security) and puts a copy of the public key file in the .ssh directory of their home directories.
  4. The file .ssh/authorized_keys must contain the line

command=”/usr/sbin/cvs -allow-root=<cvs repository dir> server”,no-port-forwarding,no-pty,no-X11-forwarding,no-agent-forwarding dsa <the public key>= user@domain

Note the server parameter to the cvs command. The last part of the line must be pasted directly from the the public key file.


The user sets the CVSROOT environment variable and checks out the files
export CVSROOT=:ext:<user@cvs.server>:<path to repository>
cvs co <project>

Note that ssh user@cvs.server won’t give a shell to the users, wheter or not the administrator granted login permissions at the creation of the accounts. The cvs server command is run instead.

See and countless other documents for the details.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s