[cvsnt] Securing pserver on CVSNT: tunneling with ssh

Damien Moore damien.moore at excite.com
Tue Aug 8 22:03:40 BST 2006

Hi All. I'm a new to all things CVS, but have just spent a frustrating 3 days configuring a CVSNT server for my Windows XP LAN at home to handle something more secure than the straight pserver protocol. I finally settled on tunneling pserver ports through ssh. I'm writing to pass on my experience to any other newbies who want to configure their CVSNT server and clients for a secure protocol and as a way of remembering what i did to get it all working. I sure could have used this advice in my own quest. I'd also appreciate any feedback from more experienced users (e.g. is what i've done sufficiently secure? what other protocols could i try). Perhaps something like the instructions at the bottom of my message could be added to the wiki (or not). I hope I'm not overstepping a line by advocating the use of programs external to CVSNT (Feel free to tell me to pull my head in if that's the case). 

Damien Moore

Back Story

First things first, let me say that installation of the CVSNT client/server binaries and basic setup as per the wiki was a breeze. I had the repository up and running with pserver acess on my LAN within an hour. That's pretty good for someone who's never used CVS before and has very limited network knowldge. 

So now I decided to make my life complicated. On the off chance that I would be using CVS from outside my LAN (e.g. from work or while travelling) I decided that I needed to use a more secure protocol than pserver. My options were SPSS, SSERVER, and the (apparently dreaded) SSH. My problem is I was constrained by having users on my LAN who refuse to have passwords (I don't have the luxury of running a dedicated CVS server). This basically ruled out SPSS because I was under the impression it relies on all users having passwords to maintain security (is this true? is there a way to restrict the user list for SPSS access?).

This left me with either SSERVER or SSH. Perhaps I just fundamentally don't understand how to use these protocols, but I could not get either one to work. It doesn't help that neither of them is all that well documented. 

For SSERVER, CVSNT supports it natively with little or no configuration changes. I got it working, but not all of the cvs clients I wanted to use were happy with it. (mostly netbeans)

So my final hope rested with SSH. I downloaded and installed CYGWIN with OPENSSH (not realizing there was a sshwindows, which might have made things easier since I could have avoided the complexity of CygWin). The openssh server was pretty easy to setup following directions here (http://www.chinese-watercolor.com/LRP/printsrv/cygwin-sshd.html) and i could ssh my cvs server from my laptop on the lan using public key access with passwords. Unfortunately that's about as far as I got. Any attempts to invoke "cvs -d :ssh:cvsuser at cvsserver:/cvsrepository command" either lead to freezes, messages about authentication required etc. This was after many hours playing with windows environment settings, cygwin settings etc. With my inexperience I probably did more harm then good. I was contemplating starting afresh with this tutorial (http://www.cascadetg.com/cvs/) but decided that i just wanted something as simple as pserver and ssh was getting too hard...

Almost ready to give up, I stumbled on tunneling pserver ports with ssh. This offers the simplicity of continuing to use pserver on the client side (which is most compatible with IDEs such as netbeans and eclipse) but the full security of ssh. The only drawbacks is that your clients must run an ssh shell in the background with a secure tunnel to port 2401 on the server (guess that means you also need to trust your users or put tight restrictions on what users can do in the shell). All passwords and pserver requests get passed down the secure ssh connection. I'm going to list my approximate installation steps for anyone else who wants to try this (I can expand these into more detailed steps at a later date if anyone is interested or wants to help)

Instructions to setup CVSNT server and client for pserver tunneling via SSH

1. Download and install CVSNT onto your intended CVS server. Set it up for basic pserver access following the instructions on the CVSNT wiki here (http://www.cvsnt.org/wiki/). Also create a repository and at least one user with a password (I guess you should make the password something different from the windows user passwords). Your CVSNT install has to leave authentication/encription as optional (under server settings) to allow pserver. you don't need to open port 2401 on your firewall.
2. Download and install a SSH server onto your CVS server. I used openssh+cygwin following the instructions here (http://www.chinese-watercolor.com/LRP/printsrv/cygwin-sshd.html). I limited the users who could log into the SSH shell by editing the file /etc/passwd on cygwin (apparently this is much more user friendly with sshwindows, which you can find here (http://sshwindows.sourceforge.net/download/)). Make sure you generate your key.
3. No additonal configuration of the SSH or CVSNT services on your server is required. you just need to have port 22 open on any firewalls to allow ssh connections. port 2401 can be closed on the firewall. If you are using both Windows firewall on the server and also have a firewall on your router (assuming you use one), you will need to configure port 22 access on both.
4. Install a SSH client on your client machine. I used putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/). Good time to make sure you can ssh your server from the client, so go ahead and run putty and connect to the server. 
5. Install a CVS client on your client machine. e.g. use WinCVS (otherwise use an IDE that supports CVS with pserver - e.g. netbeans)
6. Create the SSH tunnel on the client machine. The following are specific steps for putty
a. open putty on the client machine
b. You should be on the Sessions page: select SSH as connection. Fill in the hostname with "username at servername" where username is on the list of openssh (or windowsssh) users and servername is the name of the CVS server. make sure ssh and port 22 are specified
c. Go to the tunnels page (Under connections, SSH, tunnels): Under add new forwarded port enter "2401" for the source port. In the destination enter "localhost:2401" the default check buttons "local" and "auto" should work. Click add
d. Go back to the session page. Enter a session name under Saved Sessions (e.g. "cvs") and click save.
e. Click open. enter the password for the ssh username and leave putty open. (the ssh client must remain open to keep the tunnel active)
7. now you can run CVS through pserver. The only wrinkle here is that you need to tell the CVS client that the server name is "localhost" and not the name of your cvs server (the ssh tunnel will forward the localhost port calls to the cvs server)
For example from the command line on the client machine (i.e. windows start menu... run... cmd...) enter: 
cvs -d cvsuser:pserver:@localhost:/repository command
where "cvsuser" is a registered username in the CVS root, "repository" is the repository path that you created at step 1
and "command" is any cvs command (e.g. "login" to log in, "ls" to list the content, "co" to check out etc.)

[this has been cobbled together from a variety of other sources around the net in addition to those referenced above]

Join Excite! - http://www.excite.com
The most personalized portal on the Web!

More information about the cvsnt mailing list