Technology and Software

Securing a CVS server with ssh

This post is years late, so it’s more a reminder to me than something useful to other people. I goggled for the instructions, here’s the summary.

Goal: set up a CVS server, authenticate access with ssh, don’t give a shell to users.

Requisite: Start with a working CVS repository

Recipe: (Unix-like systems only)

  1. Each user creates a public/private key pair, using ssh-keygen -t dsa with an empty passphrase. This is the most important thing not to miss: the permissions of the private key file must make it accessible only to the owner; chmod 600 .ssh/id_* will do.
  2. The users send the public key file ~/.ssh/id_dsa.pub to the administrator of the server.
  3. The administator creates a user for each of them on the server (doesn’t allow login for further security) and puts a copy of the public key file in the .ssh directory of their home directories.
  4. The file .ssh/authorized_keys must contain the line

command=”/usr/sbin/cvs -allow-root=<cvs repository dir> server”,no-port-forwarding,no-pty,no-X11-forwarding,no-agent-forwarding dsa <the public key>= user@domain

Note the server parameter to the cvs command. The last part of the line must be pasted directly from the the public key file.

Test:

The user sets the CVSROOT environment variable and checks out the files
export CVSROOT=:ext:<user@cvs.server>:<path to repository>
cvs co <project>

Note that ssh user@cvs.server won’t give a shell to the users, wheter or not the administrator granted login permissions at the creation of the accounts. The cvs server command is run instead.

See http://ioctl.org/unix/cvs/server and countless other documents for the details.

Advertisements
Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s