Setting up a CVS server

There are lots of tutorials on how to set up CVS, some much better than this one. The purpose of this page is mainly to remind me what I need to do. If it helps you, all the better.

Blackbox CVS

In August 2006 I set up a CVS server for our “Black box” project. It was the first time I ever looked at the issue. A quick Google brought up Dan Langille's HOWTO, which pointed at a more detailed book on the subject, Open Source Development with CVS. That's probably a little more detail than is needed. The main problem is that there's no tool to create the CVSROOT/passwd file. The links recommend a perl script, but I'm not into perl, and it seems a bit over the top anyway.

The setup's pretty straightforward, but many descriptions blur the distinction between the client side and the server side. In many cases, of course, both are the same machine, but they don't have to be.

Client side (part 1)

For each user, do the following:

1. Using passwd, give the user a password intended for use logging in to the remote server. This should not be the normal password.
2. As root, get the corresponding entry out of /etc/master.passwd and trim it to the first two fields: Before:

   foo:$1$NV3PwGak$RGqhE8OQSO7iQbLxeG48e.:1006:1006::0:0:CVS Test User:/home/foo:/usr/local/bin/bash
   

   After:

   foo:$1$NV3PwGak$RGqhE8OQSO7iQbLxeG48e.:
   

   Send this information to the server side.
3. Reset the password the normal value.
4. If using ssh (which is a very good idea), set up public keys if necessary. Send the contents of .ssh/id_dsa.pub and .ssh/id_rsa.pub to the server side along with the password information.

Server side

1. Enable the entry for CVS pserver in /etc/inet.d. Specify a path to a repo or series of repos (the actual repo is specified by cvs login; the path is just to restrict access to that hierarchy). In this example I've used repos in /src/cvs:

   cvspserver  stream  tcp nowait  root    /usr/bin/cvs    cvs --allow-root=/src/cvs pserver
   

2. HUP inetd to enable the entry.
3. Create a CVS repo under /src/cvs.
4. Add a user cvs to the system password file /etc/master.passwd (using adduser or whatever). Give it /usr/bin/cvs as the shell.
5. Create a file CVSROOT/password and add the password information from the clients to it. Add the name of the server CVS user account to the end of each line. For example, the client password line above would become:

   foo:$1$NV3PwGak$RGqhE8OQSO7iQbLxeG48e.:cvs
   

   Create an entry in CVSROOT/password and copy in the password for cvs from /etc/master.passwd:

   foo:$1$0fNgUo0H$cqxxmfFLGYJKttv1gwO5b1:cvs
   

   This enables foo to connect using the password you've assigned, and to run the CVS checkout operation as cvs.
6. If using ssh, add the public key information to ~cvs/.ssh/authorized_keys. Note that the client user name does not need to be on this server.

Client side (part 2)

Once the passwords and public keys are in place, you should be able to log in to the remove system like this:

$ eval `ssh-agent`
Agent pid 8196
$ ssh-add
Identity added: /home/foo/.ssh/id_rsa (/home/foo/.ssh/id_rsa)
Identity added: /home/foo/.ssh/id_dsa (/home/foo/.ssh/id_dsa)
This user doesn't have a passphrase; otherwise there would be a prompt
$ ssh cvs@echunga.lemis.com
Last login: Tue Sep 26 11:05:19 2006 from 203-173-54-38.d
...
The Concurrent Versions System (CVS) is a tool for version control.
For CVS updates and additional information, see
    the CVS home page at http://www.cvshome.org/ or
    Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html
Connection to echunga.lemis.com closed.
(etc)

Since the “shell” for cvs is /usr/bin/cvs, you just get a usage message, and then it disconnects.

Logging in

Before you can check out, you need to log in to the server. cvs saves the information in a file called .cvspass.

$ cvs -d :pserver:echunga.lemis.com:/src/cvs login
Logging in to :pserver:foo@echunga.lemis.com:2401/src/cvs
CVS password:
cvs login: warning: failed to open /home/foo/.cvspass for reading: No such file or directory
$ ls -al .cvspass
-rw-------  1 foo  foo  69 Sep 26 11:53 .cvspass

The final message is really just a warning; cvs creates the file.

Checking out

To check out, first decide on a location. In my case, I choose blackbox. Then specify the name of the server:

$ mkdir blackbox
$ cd blackbox
$ cvs -d :pserver:echunga.lemis.com:/src/cvs co src
cvs checkout: Updating src
U src/Makefile
U src/Makefile.in
(etc)

Mavvie's comments

On IRC, 16 Dec 2006:

<Mavvie> how euhm... how do I again disable people from getting a shell with
	 ssh, but still able to run cvs?				[15:42]
<Mavvie> how euhm... how do I again disable people from getting a shell with
	 ssh, but still able to run cvs over ssh?
<grOogle> Mavvie: Give them a dummy user name.				[15:43]
<grOogle> Mavvie: I have a writeup somewhere.
<grOogle> Mavvie: http://www.lemis.com/grog/HOWTO/cvs.html.  Corrections
	  welcome.							[15:44]
<Mavvie> grOogle: that is over pserver, this is over ssh.		[15:49]
<Mavvie> this is how to do it via ssh:
<Mavvie> set the shell to /usr/local/bin/cvsshell
<Mavvie> create cvsshell:
<grOogle> Mavvie: That's pserver over ssh :-)
<Mavvie> #!/bin/sh
<Mavvie> if [ "$1 $2 $3" = "-c cvs server " ]; then
<Mavvie>         /bin/sh "$@"
<Mavvie> else
<Mavvie>         echo "CVS only account"
<Mavvie>         exit
<Mavvie> fi
ERC>