Advanced CVS/SSH Tricks

No Password Needed

This is really an ssh "feature": you take a public ssh key from your account on the client machine and append it to the end of your $HOME/.ssh/authorized_keys file on the server (repository) machine.

You probably need to edit your sshd_config configuration file. But if you haven't already done that, you probably shouldn't be worried about password-free access.

Presumably, you've also figured out that you need to run ssh-agent on the client so that you don't have to type in your passphrase all the time. No? Perhaps I should just stop now.

No Shell Access

Okay, so you've set up cvs and ssh and are happily running your own repository. And you set up a few accounts for your friends, and then they want to give their friends access to the tree... Since you're a nice guy, you don't have a problem with giving them access to the tree, especially the modules of your friends who are recommending them, but you're not terribly certain you want to give them actual shell accounts on your box. They might have bad habits, such as leaving their terminal at school logged in, or they might run a system that is routinely and easily compromised.

What can you do? Wouldn't it be nice if you could give 'em access to the CVS tree and nothing else?

Well, you can.

What you need

You need to have ssh installed on the server and configured to allow logins using only the $HOME/.ssh/authorized_keys keys. You need the public key of your untrusted user. And you need to know where cvs is installed.

Let's say that the CVS executable is at /bin/cvs, and that the user account is jsmith, and the home directory is /users/friends/jsmith (making the ssh directory /users/friends/jsmith/.ssh).

What you do

You change the shell of jsmith to /bin/nologin or /bin/false; you then make sure that there is only one key in /users/friends/jsmith/.ssh/authorized_keys (the public key of jsmith's remote account). You prepend the following to that key:

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/bin/cvs server"

(There should be a space -- NOT a newline -- between the bit you're prepending and the rest of the key.)

For example, it might look like this:

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/bin/cvs server" ssh-dss BBBBA3NzaC1kc3MAAACBAMmQvE5z7efR6e4Ek7BmFBLvEHMh6nB6gqXs8BfZDIz3vYrZkCTmUjI86JtEW0gedSpz7ElMjLR3EMNhIkPz/qoXTkqni23LW02m2iWGkOELjfFGRUnw7J5mvlbE+uEVAAAAFQDwLAmv4h9ug5MisOu/0hp1PUdXA0a8A0VrQNNYiUDpwLd0lKBTeeiDx+LSxK7YZSKYpBH2bQAAAjtsFZIBO1VUd9YsqWoJvgOJBeinG6cQODYGM+sjdOG/h0GwTQ+ze2gxfQeU4C/PQTWQFpphmGb2VPn49mA1ol/m4G1co1wvIZ39lXb+JntC0lXVdd2r2oc3Xb7AoFDDA1Jw8xUZCcnE0+ylK54qQjSqIiFnodcf3rtk29AHP7ldLwAAIAAagI7qikztgxydS6r893w9gAf5Sim2cByxYb5UnU90XrBV+sN/8c7P9KZdxFwXte1Ido7ltfEW/U5vE0atIUQODb3YYLz9IPJvdmjsMpJNHMpRsJ0TQyrBreXmB06xyjFz2c/jT1CJR1JJqfRByWctdq5eOwC3CpkzVNAACxhLew== anyone@anywhere

It's probably best to set up a test user just for testing this.

Note: There's apparently a shell called rssh that helps with just this. I have not tried to track it down just yet.

$Id: cvs-over-ssh-advanced.html,v 1.4 2004/01/21 03:28:01 stremler Exp $