This site is now 100% read-only, and retired.

Setting up a secure CVS server with OpenSSH

Posted by Steve on Fri 7 Jan 2005 at 10:45

CVS is the Concurrent Versioning System, which allows multiple people to obtain source code, work on it and commit it back to a single central repository. Setting up a simple CVS server isn't difficult, and can be done securely with OpenSSH

If you wish to create a central repository of code so that you can work on things at different sites, or have multiple people collaborate upon it with you then CVS is ideal.

CVS does lack several things, such as the ability to rename files and have the history follow, but it's one of the most widely used revision control systems around, and very likely to remain popular even with the rise of multiple competing systems such as "arch", "subversion", etc.

To setup a secure CVS repository is fairly straightforward, one of the things that can make it more secure is to deny anonymous users the ability to login and work with the code - instead anonymous users can only view the code through the web.

This might not be desired, so we'll leave that as an open question for the moment.

First of all you'll need to setup the server:

apt-get install cvs

This will install the CVS binaries which you can now use to create the repository for storing your code.

When you do this you'll be asked a couple of questions - if you wish to create a repository or start a server. Answer with the defaults, which will be to not launch a server, if you answer yes here you'll be running an insecure server...

In the following example I create a repository which is owned by the user and group cvs and is located at /home/cvs:

useradd cvs
groupadd cvs
mkdir /home/cvs
cvs -d /home/cvs init
chown -R cvs:cvs /home/cvs
chmod -R 770 /home/cvs
chmod 700   /home/cvs/CVSROOT

Now any local account that needs to write to the repository should be added to the cvs group and will then be able to add and modify projects.

If they have remote access to the server which the repository is contained upon then they will be able to checkout copies as follows:

export CVS_RSH=ssh
cvs -d :ext:username@repository.host.name:/home/cvs login
cvs -d :ext:username@repository.host.name:/home/cvs co moduleName

They will be prompted for their login password and will be able to do a full checkout of the code.

Of course you add a module to CVS in the first place!

Assuming that you have a project held in a directory on the local machine which you wish to import simply run:

cd ~/project
cvs -d /home/cvs import -m "Initial Import" project myname release

Once this is done you can move to a different directory and try to check it out:

cvs -d /home/cvs checkout project

If that works then you are done.

The only remaining question is do you wish to allow anonymous users to checkout your code? If you do then you need to take some additional steps.

If not you can just instal viewcvs or cvsweb to allow a user to view the repository over the web.

Update: if you wish you can also setup CVS to allow anonymous read-only access to your repository.

 

 


Re: Setting up a secure CVS server with OpenSSH
Posted by Anonymous (203.10.xx.xx) on Tue 29 Nov 2005 at 22:31
Thanks for the useful article.

However, please note that the 'login' command is not supported by the :ext method.

Your suggested command:

cvs -d :ext:username@repository.host.name:/home/cvs login

is not required, and will not work!

Cheers,

Tim

[ Parent ]

Re: Setting up a secure CVS server with OpenSSH
Posted by Anonymous (81.240.xx.xx) on Mon 13 Mar 2006 at 17:20
i had to use

chmod 770 /home/cvs/CVSROOT

to make it work ...

[ Parent ]

Re: Setting up a secure CVS server with OpenSSH
Posted by Anonymous (166.77.xx.xx) on Thu 11 Dec 2008 at 05:36
I also had to give read/write to the cvs group for CVSROOT.
chmod 770 /home/cvs/CVSROOT

[ Parent ]

Re: Setting up a secure CVS server with OpenSSH
Posted by Anonymous (141.149.xx.xx) on Thu 7 Sep 2006 at 18:30
I also had to use

chmod 770 /home/cvs/CVSROOT

to allow users I had added to the cvs group access CVSROOT.

Otherwise, great article! Very easy to understand and follow.

[ Parent ]

Re: Setting up a secure CVS server with OpenSSH
Posted by Anonymous (24.22.xx.xx) on Mon 13 Nov 2006 at 06:45
I was hung up a bit getting extssh to work, but finally I realized I didn't have OpenSSH server installed on my new build. If sshd is running, then you have it installed. Use 'ps -ef | grep sshd' to see if a process named sshd is running, or 'ls /etc/init.d/ssh' to see if the service is available. In my case it wasn't, so I used 'sudo apt-get install openssh-client openssh-server' to make sure I had the correct stuff installed.

This worked and afterwards I was able to connect to the repository via Eclipse.

Some other quick notes:
- make your cvs user's password secure. Folks expect that user to be present on servers and will immediately try 'cvs' as the password ;)
- when adding your user to the cvs (or maybe cvsusers) group using usermod, MAKE SURE TO USE THE -a switch! (e.g. usermod -a -G cvs someuser), otherwise you'll reset your user's groups to only be cvs. Errr... yeah, I did that then needed to boot up in recovery mode and fix the issue.

[ Parent ]

Re: Setting up a secure CVS server with OpenSSH
Posted by Anonymous (85.11.xx.xx) on Mon 12 Feb 2007 at 13:09
Or just use 'useradd username groupname'

[ Parent ]

Re: Setting up a secure CVS server with OpenSSH
Posted by Anonymous (85.11.xx.xx) on Mon 12 Feb 2007 at 13:15
I mean 'adduser name group' :)

[ Parent ]

Re: Setting up a secure CVS server with OpenSSH
Posted by busfault (69.205.xx.xx) on Sat 17 Feb 2007 at 16:39
[ View Weblogs ]
Hey good article, thanks. I had been wanting to set up a revision system for some time. This worked very well and had it up and running in minutes. Though as others had said, I had to use :ssh: to be able to login (am using TortoiseCVS for client). This will be so handy for me to edit files from school and home.
-Tom
Running out of disk quota space, try rm -rf ~/*
Having horrible computer karma? Install Linux, your computer problems shall vanish.

[ Parent ]