Re: remote cvs access - recommendations
Eric Siegerman wrote: On Wed, Oct 08, 2003 at 10:59:37AM -0700, [EMAIL PROTECTED] wrote: but in general, someone who accesses cvs [via SSH] has system access. not only can my co-developer do things like cvs checkout and cvs commit, but he can also ssh into the machine and work at a remote shell. is there a way to give co-developers access to cvs WITHOUT giving them system level access? You can configure sshd to only allow one command, cvs. I'm not sure how to do that, but it's been discussed here in the last few days, so check the list archives. prepend the following commands to the respective entry in the authorized_key[2] file of the account on your cvs box (typically in ~/.ssh/): no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command=/usr/bin/cvs server ssh-rsa YOUR_KEY_HERE bye Ludger ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: remote cvs access - recommendations
first, thanks everyone who answered my question. second, this works like a charm. and i learned a WHOLE LOT in the process. On Tue 07 Oct 03, 9:38 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] said: On Tue, 7 Oct 2003 [EMAIL PROTECTED] wrote: hi all, i've read about remote cvs access, and there are a LOT of options: ssh, rsh, kerberos, pserver, and more. my needs are simple. i'm writing a latex book with just one other person. the repository is sitting on a debian gnu/linux machine that i have root access to. can someone suggest an access method suitable for my needs? i don't need anything fancy, scalable or even efficient, since there's just one other co-author and we're dealing mainly in text with a few image files. it just needs to be secure, easy to set up and easy to use. Unfortunately, secure and easy to setup often do not mix. Your two choices for secure that I am aware of are Kerberos and SSH. Unless you already have a Kerberos infrastructure in place, you don't want to go there. A W2K domain does count, but I've never seen any discussion about how to make CVS Kerberos play in that environment. Before a good answer to your inquiry can be provided, we need to know the platforms you and the other CVS user are using. You say the repository is on Debian Linux. What platforms will you and the other person be accessing the repository from? For the purposes of this reply, I'll assume Linux all around. If Windows is in the picture, what I will be suggesting will still play fine. I am doing exactly what you want with another developer with my repository. The repository is accessed securely using SSH. The biggest hurdle to setting up remote access to such a repository is configuring SSH. You have to decide and configure what authentication methods you want to allow, then possibly generate certificates. To satisfy your convenience of use criteria, I suggest use of RSA public key certificates. They are very secure, and can be set up so you only have to enter a password once. or zero times if i don't encrypt id_rsa or id_dsa... :-) works like a charm, so i'm very happy. thank you! but i am curious about one more thing. this ssh method requires that my co-developer has an account on the system containing the repository. i don't mind that, since he's a friend. but in general, someone who accesses cvs this way has system access. not only can my co-developer do things like cvs checkout and cvs commit, but he can also ssh into the machine and work at a remote shell. is there a way to give co-developers access to cvs WITHOUT giving them system level access? i assume changing the shell to /bin/false in /etc/passwd will break remote cvs access (correct me if that's wrong). thanks guys! pete -- GPG Instructions: http://www.dirac.org/linux/gpg GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: remote cvs access - recommendations
On Wed, Oct 08, 2003 at 10:59:37AM -0700, [EMAIL PROTECTED] wrote: this ssh method requires that my co-developer has an account on the system containing the repository. i don't mind that, since he's a friend. but in general, someone who accesses cvs this way has system access. not only can my co-developer do things like cvs checkout and cvs commit, but he can also ssh into the machine and work at a remote shell. is there a way to give co-developers access to cvs WITHOUT giving them system level access? Sure. CVS-only users just need to be able to run cvs server. If you set them up with a restricted shell that can only run this command, that should help to secure your CVS server. -- Rob Helmer ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: remote cvs access - recommendations
On Wed, Oct 08, 2003 at 10:59:37AM -0700, [EMAIL PROTECTED] wrote: but in general, someone who accesses cvs [via SSH] has system access. not only can my co-developer do things like cvs checkout and cvs commit, but he can also ssh into the machine and work at a remote shell. is there a way to give co-developers access to cvs WITHOUT giving them system level access? You can configure sshd to only allow one command, cvs. I'm not sure how to do that, but it's been discussed here in the last few days, so check the list archives. -- | | /\ |-_|/ Eric Siegerman, Toronto, Ont.[EMAIL PROTECTED] | | / When I came back around from the dark side, there in front of me would be the landing area where the crew was, and the Earth, all in the view of my window. I couldn't help but think that there in front of me was all of humanity, except me. - Michael Collins, Apollo 11 Command Module Pilot ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
remote cvs access - recommendations
hi all, i've read about remote cvs access, and there are a LOT of options: ssh, rsh, kerberos, pserver, and more. my needs are simple. i'm writing a latex book with just one other person. the repository is sitting on a debian gnu/linux machine that i have root access to. can someone suggest an access method suitable for my needs? i don't need anything fancy, scalable or even efficient, since there's just one other co-author and we're dealing mainly in text with a few image files. it just needs to be secure, easy to set up and easy to use. any suggestions would be greatly appreciated! on a related issue, i setup a pserver and was horrified to discover that when i issued a cvs login, it was ignoring $CVSROOT/CVSROOT/passwd and instead was authenticating using /etc/shadow. i inadvertantly sent a plaintext password over the internet! after changing the password and disabling pserver via inetd, i started to read the cvs FAQ and saw this section: How do I set up a CVS server for access via SSH? the url was: http://ccvs.cvshome.org/fom//cache/10.html it said to look at the remote repositories sectionof cederqvist. following the link, i can't find any section called remote repositories in the table of contents. was this section renamed? thanks! pete -- GPG Instructions: http://www.dirac.org/linux/gpg GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: remote cvs access - recommendations
On Tue, 7 Oct 2003 08:29:33 -0700, [EMAIL PROTECTED] wrote hi all, i've read about remote cvs access, and there are a LOT of options: ssh, rsh, kerberos, pserver, and more. my needs are simple. i'm writing a latex book with just one other person. the repository is sitting on a debian gnu/linux machine that i have root access to. can someone suggest an access method suitable for my needs? i don't need anything fancy, scalable or even efficient, since there's just one other co-author and we're dealing mainly in text with a few image files. it just needs to be secure, easy to set up and easy to use. ssh is the most secure, easiest to setup and easiest to use IMO. If you can login to the box using ssh and can perform cvs operations from that shell, you're really done. Just try it: 1. Make sure the CVS_RSH environment variable on the client is set to ssh. 2. cvs -d:ext:[EMAIL PROTECTED]:/path/to/repository checkout modulename any suggestions would be greatly appreciated! on a related issue, i setup a pserver and was horrified to discover that when i issued a cvs login, it was ignoring $CVSROOT/CVSROOT/passwd and instead was authenticating using /etc/shadow. i inadvertantly sent a plaintext password over the internet! after changing the password and disabling pserver via inetd, i started to read the cvs FAQ and saw this section: How do I set up a CVS server for access via SSH? the url was: http://ccvs.cvshome.org/fom//cache/10.html it said to look at the remote repositories sectionof cederqvist. following the link, i can't find any section called remote repositories in the table of contents. was this section renamed? No. It's right here: http://www.cvshome.org/docs/manual/cvs-1.11.7/cvs_2.html#SEC26 HTH, Geoff ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
RE: remote cvs access - recommendations
Pete: We were able to set up cvs access thru ssh. It gives us a secure and simple solution. Here is what we did: SERVER SETUP (We use Linux) You must be able to ssh to the server without it asking for you to accept the host key or ask you for a password. Login to the cvs server as root and make sure these lines are in /etc/ssh/sshd_config: RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys If you changed this file, restart the server by typing: /etc/init.d/sshd restart WINDOWS CLIENT SETUP On windows, you will need the cygwin utilities with openSSH and cvs installed. On the windows machine, open the cygwin command shell and type: ssh [EMAIL PROTECTED] Login to the server to ensure that it does not ask you to accept the host key. Exit the ssh session. cd .ssh ssh-keygen -t rsa This will generate keys for ssh. Since you need to generate a key without a password, hit return on all of the inputs. sftp [EMAIL PROTECTED] Login and type the following commands: mkdir .ssh cd .ssh put id_rsa.pub authorized_keys quit Exit the sftp session ssh [EMAIL PROTECTED] Login and type the following commands cd .ssh chmod 700 . chmod 0600 * exit You should now be able to login to the server without it asking for a password. Now, you can use your favorite CVS client. When you set it up, you will need to use an external connection method, set the CVS_RSH variable to the full path to the ssh.exe file from cygwin and set the cvs client to the cygwin executable. Let me know if you need any additional help. Thanks, Neil. -- Neil Aggarwal, JAMM Consulting, (972)612-6056, www.JAMMConsulting.com FREE! Valuable info on how your business can reduce operating costs by 17% or more in 6 months or less! = http://newsletter.JAMMConsulting.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 10:30 AM To: [EMAIL PROTECTED] Subject: remote cvs access - recommendations hi all, i've read about remote cvs access, and there are a LOT of options: ssh, rsh, kerberos, pserver, and more. my needs are simple. i'm writing a latex book with just one other person. the repository is sitting on a debian gnu/linux machine that i have root access to. can someone suggest an access method suitable for my needs? i don't need anything fancy, scalable or even efficient, since there's just one other co-author and we're dealing mainly in text with a few image files. it just needs to be secure, easy to set up and easy to use. any suggestions would be greatly appreciated! on a related issue, i setup a pserver and was horrified to discover that when i issued a cvs login, it was ignoring $CVSROOT/CVSROOT/passwd and instead was authenticating using /etc/shadow. i inadvertantly sent a plaintext password over the internet! after changing the password and disabling pserver via inetd, i started to read the cvs FAQ and saw this section: How do I set up a CVS server for access via SSH? the url was: http://ccvs.cvshome.org/fom//cache/10.html it said to look at the remote repositories sectionof cederqvist. following the link, i can't find any section called remote repositories in the table of contents. was this section renamed? thanks! pete -- GPG Instructions: http://www.dirac.org/linux/gpg GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: remote cvs access - recommendations
[EMAIL PROTECTED] writes: on a related issue, i setup a pserver and was horrified to discover that when i issued a cvs login, it was ignoring $CVSROOT/CVSROOT/passwd and instead was authenticating using /etc/shadow. i inadvertantly sent a plaintext password over the internet! It doesn't ignore CVSROOT/passwd, it just uses /etc/shadow by default if the user isn't found in CVSROOT/passwd. You can disable that in your CVSROOT/config file, but that won't stop you from entering your system password. It may make you feel a bit better to know that the password isn't sent as plaintext, it's scrambled (but the scrambling is easy to reverse). it said to look at the remote repositories sectionof cederqvist. following the link, i can't find any section called remote repositories in the table of contents. was this section renamed? No, it's section 2.9. Click on Contents to see the complete Table of Contents (or just click on section 2 and work your way down). It sounds like you could benefit from reading the whole thing. -Larry Jones Shut up and go get me some antiseptic. -- Calvin ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs