Setting up a CVS server via SSH

without offering a shell access. Here is a quick recipe that uses:

the ext method of CVS defined as ssh
private/public ssh keys for authentication
clamps in .ssh/authorized_keys to disallow shell access

#1 Choose a machine with

a permanent internet connection (if necessary)
a running ssh (secure shell) server (sshd)
cvs installed

The instructions below assume a unix like operating system.

#2 Create a local user (say projectcvs)

The password can be left undefined (set it to * in the password field of /etc/passwd or equivalent). In such case, access can be granted either as root or by adding a public key in "$HOME/.ssh/authorized_keys".
Create a minimal .cshrc if the login shell is csh or .profile if the login shell is sh. For instance (.cshrc):
```
set path=(/bin /usr/bin /bin ) # not totally necessary
umask 022
```
make sure that $HOME is properly backed up.

The disadvantage of using one user ("projectcvs") is that the author in the logs is always the same. One way around is to set up as many users as necessary on the server and grant them access to the CVS repository using group permissions.

#3 Create a cvs directory

Log as 'projectcvs', type: cd $HOME; cvs -d$HOME/cvs init.
Import the existing cvs data within $HOME/cvs.

#4 Set up the ssh infrastructure

create a directory $HOME/.ssh, make it "chmod 700".
create a file $HOME/.ssh/authorized_keys. Type touch "$HOME/.ssh/authorized_keys; chmod 600 $HOME/.ssh/authorized_keys"

#5 Add ssh keys

Add each ssh public key in $HOME/.ssh/authorized_keys on one line with the following model.

command="/path/to/cvs server",no-port-forwarding,no-pty,no-X11-forwarding,no-agent-forwarding ssh-rsa AAAA<...>jQaqs= foo@bar

(see 'man sshd', section 'AUTHORIZED_KEYS FILE FORMAT')
The above line grants access for the user having the associated private key. The only usable command is "/path/to/cvs server", which provides a reasonably good safety level.

The cvs option --allow-root=/path/to/cvsrepo is not be honored with the ":ext:" access method and, therefore cannot be used (unless patching cvs on the server, see http://ioctl.org/unix/cvs/server).

#6 Test the cvs connection

Logged as a different user whose public key has been entered as above, the access is done using:

env CVS_RSH=ssh cvs -d:ext:projectcvs@host.xx.yy.zz:/path/to/cvs_directory checkout .

The "-d" option can be omitted once a snapshot is obtained as cvs will find the relevant information stored in the local directory CVS. However, CVS_RSH must still be set.

Starting cvs 1.12.11 on the client side, one can use a new syntax, a welcome addition to avoid forgetting setting CVS_RSH. I did not try it though.

env CVS_RSH=ssh cvs -d:ext;CVS_RSH=/path/to/ssh:projectcvs@host.xx.yy.zz:/path/to/cvs_directory checkout .

#7 A few tips about CVS

Information about using CVS is available at http://www.cvshome.org. The cvs manual is available at http://www.cvshome.org/docs/manual/.

Some particularly useful commands are:

cvs -nq update lists the files that may need updating but do not update them.
cvs update updates your snapshot to the most current version in the repository.
cvs -n diff -rHEAD shows the differences between your snapshot and the most current version in the repository.

References

Anonymous CVS access via ssh, Joey Hess. http://www.kitenet.net/~joey/sshcvs/
Setting up a CVS server for ssh clients http://ioctl.org/unix/cvs/server

$Id: CVSserver.html,v 1.5 2005/01/14 12:12:56 arnaud Exp $