Debian Administration

Setting up a secure CVS server with OpenSSH

CVS is the Concurrent Versioning System, which allows multiple people to obtain source code, work on it and commit it back to a single central repository. Setting up a simple CVS server isn't difficult, and can be done securely with OpenSSH

If you wish to create a central repository of code so that you can work on things at different sites, or have multiple people collaborate upon it with you then CVS is ideal.

CVS does lack several things, such as the ability to rename files and have the history follow, but it's one of the most widely used revision control systems around, and very likely to remain popular even with the rise of multiple competing systems such as "arch", "subversion", etc.

To setup a secure CVS repository is fairly straightforward, one of the things that can make it more secure is to deny anonymous users the ability to login and work with the code - instead anonymous users can only view the code through the web.

This might not be desired, so we'll leave that as an open question for the moment.

First of all you'll need to setup the server:

apt-get install cvs

This will install the CVS binaries which you can now use to create the repository for storing your code.

When you do this you'll be asked a couple of questions - if you wish to create a repository or start a server. Answer with the defaults, which will be to not launch a server, if you answer yes here you'll be running an insecure server...

In the following example I create a repository which is owned by the user and group cvs and is located at /home/cvs:

useradd cvs
groupadd cvs
mkdir /home/cvs
cvs -d /home/cvs init
chown -R cvs:cvs /home/cvs
chmod -R 770 /home/cvs
chmod 700   /home/cvs/CVSROOT

Now any local account that needs to write to the repository should be added to the cvs group and will then be able to add and modify projects.

If they have remote access to the server which the repository is contained upon then they will be able to checkout copies as follows:

export CVS_RSH=ssh
cvs -d :ext:username@repository.host.name:/home/cvs login
cvs -d :ext:username@repository.host.name:/home/cvs co moduleName

They will be prompted for their login password and will be able to do a full checkout of the code.

Of course you add a module to CVS in the first place!

Assuming that you have a project held in a directory on the local machine which you wish to import simply run:

cd ~/project
cvs -d /home/cvs import -m "Initial Import" project myname release

Once this is done you can move to a different directory and try to check it out:

cvs -d /home/cvs checkout project

If that works then you are done.

The only remaining question is do you wish to allow anonymous users to checkout your code? If you do then you need to take some additional steps.

If not you can just instal viewcvs or cvsweb to allow a user to view the repository over the web.

Update: if you wish you can also setup CVS to allow anonymous read-only access to your repository.

Add Comment Printable version

 

<<< Transparent proxies via Squid. Port forwarding for iptables (DMZ) >>>