Gregory Propf wrote:
>
> Mainly, what I would like is just to have cvs talk over
> a secure socket so that usernames and passwords are encrypted.
> Is there a way to do this?
> I have used ssh to do port forwarding for cvs but the result is a
> kludge.
Yes, trying to use ssh to forward port 2401 is a kludge.
Actually, CVS has a couple of modes of operation for accessing
the repository:
- A mode (the default) where CVS does it by directly modifying the
repository files. Useful only for local repositories, and even
then you might have problems with NFS2 being based on UDP, and
hence possibly subject to error from faulty network cards.
(This happened to us once).
- A mode (commonly known as "pserver" mode) where the CVS client
sends traffic over TCP port 2401. The inetd on the server end
is configured to start CVS in server mode. Notably, this gives
read-only access.
- A mode (commonly known as "ext" mode) where the CVS client
calls some other utility (by default, rsh) to provide a
transparent pipe. In practise, ssh is used instead of rsh,
and ssh is called such that it starts the CVS server on the
other end of the line.
What you want is the last mode. The CVS client and CVS server
don't care how they are connected, just that they have a transparent
pipe between them.
ssh can establish that pipe without any information ever being
transmitted as cleartext. Ever. Either in the authentication
stage or while carrying CVS data.
By default this gives people read-write access to the repository,
but CVS can be configured to restrict this.
Also, you can generate ssh keys _without_ specifying a passphrase.
ssh will then sail through the connection which asking for one.
If you really wanted to be strict and prevent access without
a password, you could prevent people from using keys without
passphrases.
So, to put this into practise: (You'll need to modify the names)
On the local machine, type this:
ssh-keygen
This will create a subdir called ~/.ssh. In this subdir
will be two files, identity (your private key) and identity.pub.
Log into the remote machine using ssh:
ssh -l [EMAIL PROTECTED]
You'll need to type in your password. Run ssh-keygen again.
(You're doing this just to create the .ssh subdir with the
right permissions). Log out.
Do this on your local machine:
scp ~/.ssh/identity.pub you@remote:.ssh/you.pub
Log into the remote machine again using ssh. Do this:
cd ~/.ssh
cat you.pub >> authorized_keys
Log out. You should then be able to do this to log in without
being asked for a password:
ssh [EMAIL PROTECTED]
If it doesn't work, try "ssh -v [EMAIL PROTECTED]" and see what
it says.
Now set the CVS_RSH environment variable to "ssh", and try
this:
cvs -d :ext:[EMAIL PROTECTED]:/home/cvs/CVS-Repository co myproject
If this doesn't work, add a "-t" just after the "cvs" to turn on
debugging. In particular, look at the first few lines where
it calls ssh to initiate the connection.
I hope this helps.
Regards,
Mitch.
--
| mailto:[EMAIL PROTECTED] | Not the official view of: |
| mailto:[EMAIL PROTECTED] | Australian Calculator Opn |
| Certified Linux Evangelist! | Hewlett Packard Australia |
