Documentation of the Installation of a non-public cvs server ============================================================= author : spirit date : 2005-01-29 basic info : cvs is a version control system that allows you to record the history of sources files (and other documents) and detects conflicts between different source versions, allowing a group of developers to work on a software project simultaneously goals : - setting up a CVS server that will be used to host several software projects - each project should have its own cvs repository, only members (developers) of the appropriate project should have access to the source code of the project - secure access method environment : some special circumstances have to be dealt with : - access to the cvs server will only be possible via port forwarding of another machine because the cvs server itself has a private range IP address - only 1 port will be forwarded to the cvs server, and that port will NOT be the default ssh port but port 2222 (because the forwarding machine also runs sshd and needs port 22 for itself) NOTE : these circumstances don't make any difference to the setup of the cvs server, they are only interesting for the cvs client machines software used : - debian GNU/Linux 3.0 woody : http://www.debian.org/ - cvs : http://www.gnu.org/software/cvs/ - ssh : http://www.openssh.org/ OS installation : - installed debian woody (stable) base system from CD (no tasksel, no aptitude, no X, nothing but base system) - updated /etc/apt/sources.list with server info - system update - built new kernel with grsecurity - installed the grub bootloader, set encrypted password configuration : - created a user account for the cvs admin - created user accounts for cvs users - created a group cvs- for the members of each project and added appropriate users - created a group wheel and restricted the use of su to members of this group via /etc/pam.d/su - placed the cvs admin in the wheel group other software : - installed some very essential tools via apt-get : - less - vim - installed sshd and configured it to - listen on port 2222 - disallow root-login - allow login only to desired cvs users - installed cvs (pserver access disabled) - created directories /var/lib/cvs/ for each software project - created the cvs repositories in each directory : cvs -d /var/lib/cvs/ init - adapted file system permissions of the directories cd /var/lib/cvs/ chgrp -R cvs- . chmod ug+rwx . CVSROOT client setup : the following steps should be taken on all client machines (i.e. the laptops of the developers), not on the cvs server itself - install ssh and cvs - tell cvs to use ssh for authentication - place the following line in the .bashrc of the cvs user (bash syntax) : export CVS_RSH=ssh - tell cvs where our default repository is so we don't have to set it manually on each cvs command - place the following line in the .bashrc of the cvs user (bash syntax, replace cvs.server.org with the IP or DNS-name of your server) export CVSROOT=@cvs.server.org:/var/lib/cvs// - deal with our special circumstances (see the environment section above for details) - make sure that cvs connects to the ssh server on the cvs machine, not to the ssh server on the box that does the port forwarding : To acomplish this, we need to tell ssh to connect to port 2222 on the forwarding machine, not on the default port 22. This can be achieved by adding the following lines to the users .ssh/config (or /etc/ssh/ssh_config) : Host cvs.server.org Hostname cvs.server.org Port 2222 You should abviously replace cvs.server.org with the IP or DNS-name of your cvs server