{"id":246,"date":"2010-04-20T12:19:22","date_gmt":"2010-04-20T12:19:22","guid":{"rendered":"http:\/\/www.scmgalaxy.com\/tutorials\/2010\/04\/20\/how-to-configure-and-use-ssh-authentication-system-server-cvs\/"},"modified":"2017-12-27T21:00:54","modified_gmt":"2017-12-27T21:00:54","slug":"how-to-configure-and-use-ssh-authentication-system-server-cvs","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/how-to-configure-and-use-ssh-authentication-system-server-cvs\/","title":{"rendered":"How to configure and use SSH authentication system server CVS"},"content":{"rendered":"

\"ssh-with-cvs\"<\/p>\n

How to configure and use SSH authentication system server CVS<\/strong><\/p>\n

cvs (Concurrent Version System) is a very popular version control tool. Although its function as Perforce, Subversion and other powerful, but because of its easy configuration, simple to use and the introduction of longer, so in all a kind of software project widely used.<\/p>\n

first is to install FreeBSD, and application security patches. This step is very simple, download a FreeBSD (the upcoming 5.2-RELEASE is a good choice, in this article was published, this version may have been able to download a) of the mini iso burning CD-ROM, then you can install the (choose \u201cMinimum\u201d installation). Note that, in order to be able to use ssh authentication, be sure to install the crypto. Configure the network for this machine, so after the restart just fine.<\/p>\n

then install the necessary package. FreeBSD 4.x built-in perl, but in 5.x in, perl be deleted from the basic system. In order to better use, including ACL, commit mail, and a number feature, you must install perl.<\/p>\n

I personally recommend using the ports in the 5.8.x version of perl. Before installing, first of all convinced that the system does not perl 5.6.x installed, the new system, they can safely execute the following command:<\/p>\n

This will remove the existing any package. In general, the majority of FreeBSD users use cvsup to update the system, but the release of the CD, cvsup-without-gui is not included, while the ordinary cvsup package requires a series of X11 libraries. To avoid trouble, consider the following two different ways to complete the first code update:<\/p>\n

<\/div>\n

1, using the FreeBSD’s cvs to synchronize code: <\/strong><\/p>\n

cvs-d: pserver: anoncvs@anoncvs.jp.FreeBSD.org: \/ home \/ ncvs login<\/p>\n

enter \u201canoncvs\u201d, Enter<\/p>\n

cd \/ usr<\/p>\n

cvs-R-d: pserver: anoncvs@anoncvs.jp.FreeBSD.org: \/ home \/ ncvs export-r RELENG_5_2 src ports<\/p>\n

Note: If you are not using 5.2-RELEASE, please make appropriate amendments to RELENG_5_2 (for example ,4-STABLE is RELENG_4, \u2013 CURRENT is the HEAD, etc.)<\/p>\n

2, install cvsup-without-gui: <\/strong><\/p>\n

pkg_add-r cvsup-without-gui<\/p>\n

then use cvsup to synchronize code, space is limited, I will not repeat them<\/p>\n

I recommend the first method, of course, the second method should be faster, and does not require manually compiling cvsup. Subsequently, the installation of Perl 5.8.x:<\/p>\n

cd \/ usr \/ ports \/ lang \/ perl5.8 & & make all install clean & & rehash<\/p>\n

Then we will face a very serious problem: ports inside use.perl script does not know the system had not installed perl, so the time to be wrong in the implementation \u2013 this time, just make a symbolic link to perl on it. Well, the implementation:<\/p>\n

use.perl port<\/p>\n

This script will help you complete use.perl modify configuration files (such as \/ etc \/ make.conf) and a series of work. Here is not the table, a little profile about OpenSSH (sshd) configuration, in general, add the following two lines:<\/p>\n

Protocol 2 <\/strong><\/p>\n

PasswordAuthentication no <\/strong><\/p>\n

the benefits of doing so: ( 1) only allow ssh2 protocol log, which can provide better security (2) does not allow password login, which no doubt will increase security.<\/p>\n

1, create a cvs repository <\/strong><\/p>\n

Well, pre-configuration is basically over. Do not forget to create a user for the cvs group, for example, ncvs, as well as a cvs repository for the management of users, such as the repoman (which of course is ncvs that group), and then create a directory to save the cvs repository, in this case , we put it into \/ home \/ ncvs in:<\/p>\n

rm-rf \/ home \/ ncvs<\/p>\n

mkdir-p \/ home \/ ncvs<\/p>\n

chown-R repoman: ncvs \/ home \/ ncvs<\/p>\n

chmod-R 775 \/ home \/ ncvs<\/p>\n

next step is to initialize the repository, and simple to implement:<\/p>\n

su-l repoman<\/p>\n

cvs-d \/ home \/ ncvs init<\/p>\n

on it.<\/p>\n

present, all the FreeBSD version of cvs are included in the safety of the existence of a small vulnerability, although this flaw only in local use, but we recommend that you put it back on is to find \/ usr \/ src \/ contrib \/ cvs \/ src \/ expand_path.c in<\/p>\n

return current_parsed_root-> original;<\/p>\n

line, turning it into a<\/p>\n

return current_parsed_root-> directory;<\/p>\n

Of course, the next step is to re-make world kernel of. Need to note is that if you are using a 5-CURRENT, also need to modify some code for it to reach 5.2-RELEASE as performance (-CURRENT in a large number of debugging options turned on), specific methods will not go into here.<\/p>\n

2, the configuration commitmail and ACL <\/strong><\/p>\n

then configure cvs commitmail and ACL. I personally think that commitmail the team software development a very important thing to cvs, it is especially important because cvs is not atomic submit function, but commitmail just enough to make up for this.<\/p>\n

FreeBSD development team used a very good perl script to complete commitmail function, while the hook they use cvs to achieve a simple access control function (ACL). I use the cvs repository based on FreeBSD’s CVSROOT, and made a few changes.<\/p>\n

use the CVSROOT cover your CVSROOT, and you also need to freebsd directory mailsend.c which compiled the results into the \/ usr \/ local \/ bin (the script assumes that the CVSROOT in this matter). In addition, the CVSROOT need some modifications before it is put into use (for example, machine name, etc.). These settings can be found in the cfg_local.pm inside:<\/p>\n

$ MAILADDRS = ‘cvs- all@example.org ‘;<\/p>\n

commitmail this is the place to be sent to.<\/p>\n

$ MAIL_BRANCH_HDR = \u201cX-Phantasm-CVS-Branch\u201d;<\/p>\n

this is to be added to the commitmail head of information, if you use the mailing list, then it can help mailing list automatically sorted.<\/p>\n

$ MAILBANNER = \u201cThe Phantasm Studio repository\u201d;<\/p>\n

this soon in commitmail said that they commit to which a repository.<\/p>\n

if ($ hostname = ~ \/ ^ cvs \\. Example \\. Org $ \/ i)<\/p>\n

commit to this is to determine the host name<\/p>\n

$ CVSWEB_URL = \u201chttp:\/\/cvsweb.example.org\/cgi-bin\/cvsweb.cgi\u201d;<\/p>\n

This is cvsweb services at<\/p>\n

a brief CVSROOT in the other documents<\/p>\n

avail: the file used to control access to user group.<\/p>\n

access: This file is used to control who can perform cvs operations.<\/p>\n

exclude: This file is used to control those files do not need to check the cvs tag<\/p>\n

options: this file used to control the commencement of cvs tag, for example, can define $ Phantasm $, etc.<\/p>\n

3, configuration of users and restrict ssh permissions <\/strong><\/p>\n

ssh authentication using a more vexing question is, ssh means that users have a system account, and that they be able to log in.. If configured properly, they can get a shell, it is natural to be a potential security risk.<\/p>\n

must therefore be very careful in handling the ssh cvs authentication issue. The underlying principle is: any action against the user, unless we allow them to do so.<\/p>\n

create a user in accordance with the following rules:<\/p>\n

user’s\u201d primary \u201cgroup is ncvs (This will not only restrict the user’s permission, so we can more easily control the other users in the cvs repository which can not be free to commit)<\/p>\n

users do not use password authentication, which will ease because they do not properly set up ftp and other safety hazards caused by<\/p>\n

still give the user a shell, the \u201cshell\u201d can be a perl script, it only allow the implementation of the beginning of the command cvs<\/p>\n

then allow users to use openssh’s ssh-keygen to generate your own key pair. OpenSSH in most * BSD and Linux distributions can be found in, if the user uses the Windows Desktop, you need to install cygwin (in particular, the installation of net in OpenSSH), of course, the implementation of the command is the same:<\/p>\n

ssh-keygen-t dsa-b 2048<\/p>\n

for the paranoid security enthusiasts, can consider later in 2048 will be replaced by-b 4096. Of course, under the barrel theory, if you are a paranoid, then obviously you should be forced to use all the partners are also at least as long as your key:)<\/p>\n

, the administrator should be user (committer) the key into the server, the user corresponding to the authorized_keys file in the folder inside. For example, one of my public key as follows:<\/p>\n

ssh-dss AAAAB3NzaC1kc3MAAAEBAL +1 jinOw +86 RcTEaSM5\/Hz4Lr9tIS0IQsX8ebo<\/p>\n

TwLzWnqpOHRh2KBCGn\/e0xGCIAai7PGz7c + SZCvrLiRvG9mCsMMMue8ZIL + QF4OAmMd<\/p>\n

Cz8Qoyg0cc4YXImOd + UEpdOX29PC4aMAz28v\/GO2yf58\/Qa49Clfq1kHa\/8q3IAgs9o<\/p>\n

W95 \/ ArG + IWFOsN1Tv9nh4XJb5AQjpa5uMlB5SEmvKGTXQ2oYiRVIxL8vzHL6MtO\/8\u00d71<\/p>\n

j8 + RioSH6FCpEXS7UJbYxE7vF3m5Fa5o6g2dIZewphsleOeHkvYJ442Hqvsly3p4 +4 N<\/p>\n

dvim4bY2HMDha5r5zeTV8tTlOz4wQVgKyWoEAAAAVAINGzX7uU0vR8l63qhBhUeWGZt<\/p>\n

C9AAABADWiO +9 bvV7DApsn08LR1eoEnMjJFQgEfGlbV + EvZHkO0bkHZAdRIKtVmgNUw<\/p>\n

G6uufykkt2Tb + q5SbVNZkzeaFVv4ZMtnjSvEPIZrEXcQFFguGk1it5v5EYcmq4G8 + j1<\/p>\n

BFTVHef4b1wMTSt11WtEz0LUYncuZ6LA48\/WGTuZiSm8JkchgVm8HhR9NqjdeFJH8sO<\/p>\n

RUhUBoxyWjo\/hv7zFg7HqoJGzeNfrEhFg36psR2RDaRvSP0vN1W2q4j5OZy3gB6ZyVt<\/p>\n

nsEPl1HELhlaCFifmdz1LVxDx + FyPy6wMsPQLTmB1g6N1J6PWy3qCTJ0NyQgarSt3 \/ A<\/p>\n

TQ0InF1BOdJn8QAAAEAPb1OgswuMHdEsHk2ETZVmOKOkI9Rjf72vjZ3xG45iEbCH\/7p<\/p>\n

aTP8OQmJMW9FD4MHjdmtktPVYXDIa9Hj\/IM44zhfMHEdKs9LlFUK5dBgNUps + yPj2Ns<\/p>\n

Mr2rl771ODR0mB52FwrXm1FCmNTM7WQpFOEy\/QhtZRpHK +7 \/ YZp7PBggt17Fw7rbjP2<\/p>\n

zhWnZluoSKLgvfkhxhJuOMm\/ElNJx2c + XHdxPqI3eR5UxzLNjDUNh59I8 + h + E69bFB3<\/p>\n

b2uhKqziziHOQcqoH5r0Kud \/ DBBE79lU3mRUF8FQNygCRh\/V3yFzed40rc0nF0PQpNZ<\/p>\n

6zodDTJByrm6vX5wr2lI4RgA9w == bitripper@grimreaper.delphij.net<\/p>\n

Description: public key is not allowed off-line, here is convenient for typesetting. We have just opened to the user shell, which is still potential pitfalls, so we tighten security in this regard, the public key by adding the following text before the project:<\/p>\n

command = \u201c\/ usr \/ bin \/ cvs \u2013 allow-root = \/ home \/ ncvs server\u201d<\/p>\n

So, the whole line should look like this:<\/p>\n

command =\u201d \/ usr \/ bin \/ cvs \u2013 allow-root = \/ home \/ ncvs server \u201cssh-dss AAAAB<\/p>\n

\u2026\u2026 \u2026\u2026\u2026\u2026\u2026\u2026\u2026..<\/p>\n

X5wr2lI4RgA9w == bitripper@grimreaper.delphij.net<\/p>\n

ssh this command means that up on the implementation of \/ usr \/ bin \/ cvs \u2013 allow-root = \/ home \/ ncvs server this command, and can only perform this command. Thus, unless there are loopholes in the cvs itself, otherwise, can not really cut out through ssh shell. \u2013 Allow-root limits the ability to use the repository, so users can not easily specify the other repository, thus trying to undermine the security will become more difficult. If you need multiple repository, you can specify the number of allow-root parameter.<\/p>\n

be noted is that if users have multiple public key, you need to specify each public key before the command.<\/p>\n

4, configuration cvsweb <\/strong><\/p>\n

configuration cvsweb is quite simple. First install the apache (I tried 1.3.x and 2.0.x), configure the ready, from the port which install cvsweb on it:<\/p>\n

cd \/ usr \/ ports \/ devel \/ cvsweb & & make all installl clean<\/p>\n

and then to modify it configuration file:<\/p>\n

cd \/ usr \/ local \/ etc \/ cvsweb<\/p>\n

vi cvsweb.conf<\/p>\n

find<\/p>\n

;<\/p>\n

@ CVSrepositories = (<\/p>\n

line, follow the example of an increase in following their own repository, For example:<\/p>\n

‘ncvs’ => [‘ New CVS Repository ‘,’ \/ home \/ ncvs’],<\/p>\n

write the number of how many, of course, @ CVSrepositories the first to directly access cvsweb.cgi when the repository.<\/p>\n

in FreeBSD 5.1-CURRENT development process carried out by some of the changes caused by the ports in the cvsweb not normally call the cvs and rcs tools, which will cause it to not work properly. To solve this problem, can be found from the following web site the latest version of cvsweb:<\/p>\n

http:\/\/www.freebsd.org\/projects\/cvsweb.html<\/p>\n

the author of this writing, the latest cvsweb version is 2.9.1 beta. Before the installation, need to install the other two port:<\/p>\n

cd \/ usr\/ports\/devel\/p5-IPC-Run & & make all install clean<\/p>\n

cd \/ usr\/ports\/net\/p5-URI & & make all install clean<\/p>\n

then downloaded tbz file unpack, copy to the appropriate location (cgi-bin and related images directory) can be used.<\/p>\n","protected":false},"excerpt":{"rendered":"

How to configure and use SSH authentication system server CVS cvs (Concurrent Version System) is a very popular version control tool. Although its function as Perforce, Subversion and other powerful,… <\/p>\n","protected":false},"author":1,"featured_media":4374,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[20],"tags":[254,4133,369,4136,1122,2974,3113,919,593,938,4135,896,732,4132,213,4134],"class_list":["post-246","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cvs-concurrent-version-system","tag-configure","tag-configure-cvs-with-ssh","tag-cvs","tag-cvs-with-ssh-configuration","tag-guide","tag-help","tag-how-to","tag-instructions","tag-process","tag-reference","tag-setup-cvs-through-ssh","tag-ssh","tag-steps","tag-system-server","tag-tutorial","tag-use-ssh-with-cvs"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/246","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=246"}],"version-history":[{"count":3,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/246\/revisions"}],"predecessor-version":[{"id":4376,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/246\/revisions\/4376"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media\/4374"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}