How to configure and use the CVS system server for SSH authentication

& Nbsp; cvs (ConcurrentVersionSystem) is a popular version control tool. Although its functions are not as powerful as Perforce and Subversion, it is widely used in various software projects because it is easy to configure and use, and has been released for a long time. First, install FreeBSD and  

Cvs (Concurrent Version System) is a widely used Version control tool. Although its functions are not as powerful as Perforce and Subversion, it is widely used in various software projects because it is easy to configure and use, and has been released for a long time.

First, install FreeBSD and apply security patches. This step is very simple. download a FreeBSD (the upcoming 5.2-RELEASE is a good choice. this version may already be available for download at the time of this article) mini iso burn CD-ROM, and then install it (select "Minimum" installation ). Note: To be able to use ssh authentication, install crypto. Configure the network for this machine. wait and restart.

Then install some necessary packages. FreeBSD 4.x has built-in perl, and in 5.x, perl is removed from the basic system. To better use a series of functions including ACL and commit mail, perl must be installed.

I personally recommend using perl 5.8.x in ports. Before installation, make sure that the installation of perl 5.6.x is not available in the system. for the new system, you can execute the following command with confidence:

This will delete any existing packages. Generally, most FreeBSD users use cvsup to update the system. However, cvsup-without-gui is not included in the released CD, the common cvsup package requires a series of X11 libraries. To avoid the trouble, you can consider the following two different ways to complete the first code update:

1. use cvs in FreeBSD to synchronize code:

Cvs-d: pserver: anoncvs@anoncvs.jp.FreeBSD.org:/home/ncvs login

Enter "anoncvs" and press enter

Cd/usr

Cvs-R-d: pserver: anoncvs@anoncvs.jp.FreeBSD.org:/home/ncvs export-r RELENG_5_2 src ports

Note: If you are not using 5.2-RELEASE, modify RELENG_5_2 as appropriate (for example, 4-STABLE is RELENG_4,-CURRENT is HEAD, and so on)

2. install cvsup-without-gui:

Pkg_add-r cvsup-without-gui

Then we use cvsup to synchronize the code. due to space limitations, we will not repeat it here

I personally recommend the first method. of course, the second method should be faster, and cvsup does not need to be compiled manually. Then install Perl 5.8.x:

Cd/usr/ports/lang/perl5.8 & make all install clean & rehash

Then we will encounter a very serious problem: use in ports. the perl script does not know that perl is not installed in the system. Therefore, an error occurs during execution. in this case, you only need to make a symbolic connection for perl. After completing the configuration, execute:

Use. perl port

In this way, the use. perl script will help you complete a series of work such as modifying the configuration file (such as/etc/make. conf. This is not a table. configure OpenSSH (sshd) slightly. generally, add the following two rows:

Protocol 2

PasswordAuthentication no

The benefits of doing so: (1) only allow logon to ssh2 protocol, which can provide better security (2) do not allow logon using a password, which undoubtedly improves security.

1. create cvs repository

Well, the preliminary configuration is basically over. Do not forget to create a group for cvs users, such as ncvs and a user for managing cvs repository, such as repoman (which of course belongs to the ncvs group). then, create a directory to save cvs repository. In this example, we put it in/home/ncvs:

Rm-rf/home/ncvs

Mkdir-p/home/ncvs

Chown-R repoman: ncvs/home/ncvs

Chmod-R 775/home/ncvs

The next step is to initialize the repository and simply execute:

Su-l repoman

Cvs-d/home/ncvs init

You can.

Currently, all versions of FreeBSD include cvs with a minor security vulnerability, although this vulnerability can only be exploited locally, however, we recommend that you add it to/usr/src/contrib/cvs/src/expand_path.c.

Return current_parsed_root-> original;

Line, change it

Return current_parsed_root-> directory;

Of course, the next step is to re-make world kernel. Note that if you are using 5-CURRENT, you also need to modify some code to make it as high as 5.2-RELEASE (a lot of debugging options are opened in-CURRENT). The specific method will not be described here.

2. configure commitmail and ACL

Configure cvs commitmail and ACL. I personally think commitmail is a very important part in software development for the team. for cvs, this is especially important because cvs does not have the atomic commit function, and commitmail just makes up for this deficiency.

FreeBSD's development team used a set of good perl scripts to complete the commitmail function. at the same time, they also used the cvs hook to implement simple access control (ACL ). I used cvs repository based on FreeBSD CVSROOT and made a few modifications.

Use this CVSROOT to overwrite your CVSROOT, and you also need to send mailsend in the freebsd directory. c compile and put the result in/usr/local/bin (the script in CVSROOT assumes this is the case ). In addition, this CVSROOT must be modified before it can be officially put into use (for example, the machine name, and so on ). These settings can be found in pai_local.pm:

$ MAILADDRS = cvs-all@example.org;

This is where commitmail will be sent.

$ MAIL_BRANCH_HDR = "X-Phantasm-CVS-Branch ";

This is the information to be added to the commitmail header. if you use the mail list, it can help automatically sort the mail list.

$ MAILBANNER = "The Phantasm Studio repository ";

This line will appear in commitmail, indicating the repository to which the commit arrived.

If ($ hostname = ~ /^ Cvs.example.org $/I)

This is the host name of the commit.

$ CVSWEB_URL = "http://cvsweb.example.org/cgi-bin/cvsweb.cgi ";

This is the URL of the cvsweb service.

Brief introduction to other files in CVSROOT

Avail: This file is used to control the access permissions of a user group.

Access: This file is used to control who can perform the cvs operation.

Exclude: This file is used to control files that do not need to check the cvs tag

Options: This file is used to control the expansion of cvs tags. for example, you can define $ Phantasm $.

3. configure users and restrict ssh permissions

One of the headaches with ssh authentication is that ssh means that users have a system account and they can log in. If improperly configured, they can still get a shell, which naturally becomes a potential security risk.

Therefore, you must be very careful with the ssh authentication of cvs. The basic principle is: prohibit users from doing anything unless we allow them to do so.

Follow the following rules to create a user:

The user's "master" group is ncvs (this not only limits user permissions, but also makes it easier for us to control other users not to commit in cvs repository)

Users do not use password verification, which relieves security risks caused by incorrect ftp settings.

The user is still given a shell. this "shell" can be a perl script that only allows the execution of commands starting with cvs

Then, let the user use the ssh-keygen of openssh to generate their own key pair. OpenSSH can be found in most * BSD and Linux distributions. if you are using a Windows desktop, you need to install cygwin (especially install OpenSSH in net). of course, the command is the same:

Ssh-keygen-t dsa-B 2048

For paranoid security enthusiasts, you can consider changing the value 2048 next to-B to 4096. Of course, according to the bucket principle, if you are really paranoid, it is clear that you should also force all your collaborators to use keys that are at least as long as you do :)