[m-dev.] remote CVS access

[Simon Taylor]

On 17-Aug-2001, David Overton <dmo at cs.mu.OZ.AU> wrote:
> On Fri, Aug 17, 2001 at 05:57:04PM +1000, Fergus Henderson wrote:
> > Currently many people are using the `pserver' password-based remote CVS
> > access method, since that is what is recommended on our web page.
> > However, this method is not very secure.  In the long term I plan to
> > phase it out, in favour of ssh-based remote CVS access.
> > 
> > Could everyone who is using pserver-based remote CVS access
> > please (1) let me know who you are and (2) email me a copy of your ssh
> > public key (which is in ~/.ssh/identity.pub; use ssh-keygen if you don't
> > have one already)?
> > 
> > For ssh-based remote cvs access, just use
> > 
> > 	:ext:<your user id>@cvs.mercury.cs.mu.oz.au:/home/mercury1/repository
> > 
> > e.g.
> > 
> > 	:ext:fjh at cvs.mercury.cs.mu.oz.au:/home/mercury1/repository
> > 
> > as the CVSROOT.  You don't need to `cvs login'.
> > Instead, you need
> > 
> > 	- ssh installed on your client machine (of course)
> > 
> > 	- an ssh key pair (generated with ssh-keygen) on your client machine
> > 
> > 	- an account on cvs.mercury.cs.mu.oz.au, with a copy of your
> > 	  ssh public key(s) in ~/.ssh/authorized_keys.
> > 	  Note that the account does not need a password (the sysad can put
> > 	  "*" in the password field of /etc/passwd) or a login shell.
> 
> 
> I just tried this.  I also needed to set the CVS_RSH variable to 'ssh'
> to get it to work.

sshd on cvs.mercury.cs.mu.oz.au has been upgraded, so the instructions
above need to change:



For ssh-based remote cvs access, just use

	:ext:<your user id>@cvs.mercury.cs.mu.oz.au:/home/mercury1/repository

e.g.

	:ext:fjh at cvs.mercury.cs.mu.oz.au:/home/mercury1/repository

as the CVSROOT.  You don't need to `cvs login'.
Instead, you need

	- ssh installed on your client machine (of course)

	- an ssh key pair (generated with ssh-keygen) on your client machine

	- an account on cvs.mercury.cs.mu.oz.au. Note that the account does
	  not need a password (the sysad can put "*" in the password field
	  of /etc/passwd), but it does need a login shell.

	  ~/.ssh/authorized_keys on cvs.mercury.cs.mu.oz.au
	  should contain a copy of your ssh public key(s).
	  To avoid giving CVS-only users login access to
	  cvs.mercury.cs.mu.oz.au, the entries in ~/.ssh/authorized_keys
	  should be prefixed with `command="cvs server"'. This will
	  only allow the key to be used to run the CVS server, not to
	  login or run other commands. The `no-port-forwarding' and
	  `no-pty' key options are probably also a good idea. See sshd(8)
	  for more details.

	  e.g.
	  command="cvs server",no-port-forwarding,no-pty 1024 35 <key> fjh at hg


You will also need to set the CVS_RSH variable to be the name
of a shell script with the following contents:

#!/bin/sh
exec ssh -1 -X "$@"


The ~/.ssh/authorized_keys file described above is part of the
SSH protocol version 1, so the `-1' option to ssh is needed to force
the use of that protocol.
The '-X' option to ssh enables X11 forwarding. The commit scripts will
use X for any necessary communication with the user.

Simon.
--------------------------------------------------------------------------
mercury-developers mailing list
Post messages to:       mercury-developers at cs.mu.oz.au
Administrative Queries: owner-mercury-developers at cs.mu.oz.au
Subscriptions:          mercury-developers-request at cs.mu.oz.au
--------------------------------------------------------------------------