Password authenticated Password authentication client

2.9.3.1: Setting up the server for password authentication

First of all, you probably want to tighten the permissions on the `$CVSROOT' and `$CVSROOT/CVSROOT' directories. See Password authentication security, for more details.

On the server side, the file `/etc/inetd.conf' needs to be edited so inetd knows to run the command cvs pserver when it receives a connection on the right port. By default, the port number is 2401; it would be different if your client were compiled with CVS_AUTH_PORT defined to something else, though.

If your inetd allows raw port numbers in `/etc/inetd.conf', then the following (all on a single line in `inetd.conf') should be sufficient:

2401  stream  tcp  nowait  root  /usr/local/bin/cvs
cvs --allow-root=/usr/cvsroot pserver

You could also use the `-T' option to specify a temporary directory.

The `--allow-root' option specifies the allowable CVSROOT directory. Clients which attempt to use a different CVSROOT directory will not be allowed to connect. If there is more than one CVSROOT directory which you want to allow, repeat the option.

If your inetd wants a symbolic service name instead of a raw port number, then put this in `/etc/services':

cvspserver      2401/tcp

and put cvspserver instead of 2401 in `inetd.conf'.

Once the above is taken care of, restart your inetd, or do whatever is necessary to force it to reread its initialization files.

Because the client stores and transmits passwords in cleartext (almost---see Password authentication security, for details), a separate CVS password file may be used, so people don't compromise their regular passwords when they access the repository. This file is `$CVSROOT/CVSROOT/passwd' (see Intro administrative files). Its format is similar to `/etc/passwd', except that it only has two or three fields, username, password, and optional username for the server to use. For example:

bach:ULtgRLXo7NRxs
cwang:1sOp854gDF3DY

The password is encrypted according to the standard Unix crypt() function, so it is possible to paste in passwords directly from regular Unix `passwd' files.

When authenticating a password, the server first checks for the user in the CVS `passwd' file. If it finds the user, it compares against that password. If it does not find the user, or if the CVS `passwd' file does not exist, then the server tries to match the password using the system's user-lookup routine (using the system's user-lookup routine can be disabled by setting SystemAuth=no in the config file, see config). When using the CVS `passwd' file, the server runs as the username specified in the third argument in the entry, or as the first argument if there is no third argument (in this way CVS allows imaginary usernames provided the CVS `passwd' file indicates corresponding valid system usernames). In any case, CVS will have no privileges which the (valid) user would not have.

It is possible to ``map'' cvs-specific usernames onto system usernames (i.e., onto system login names) in the `$CVSROOT/CVSROOT/passwd' file by appending a colon and the system username after the password. For example:

cvs:ULtgRLXo7NRxs:kfogel
generic:1sOp854gDF3DY:spwang
anyone:1sOp854gDF3DY:spwang

Thus, someone remotely accessing the repository on `chainsaw.yard.com' with the following command:

cvs -d :pserver:cvs@chainsaw.yard.com:/usr/local/cvsroot checkout foo

would end up running the server under the system identity kfogel, assuming successful authentication. However, the remote user would not necessarily need to know kfogel's system password, as the `$CVSROOT/CVSROOT/passwd' file might contain a different password, used only for CVS. And as the example above indicates, it is permissible to map multiple cvs usernames onto a single system username.

This feature is designed to allow people repository access without full system access (in particular, see Read-only access); however, also see Password authentication security. Any sort of repository access very likely implies a degree of general system access as well.

Right now, the only way to put a password in the CVS `passwd' file is to paste it there from somewhere else. Someday, there may be a cvs passwd command.

Password authenticated

Password authentication client