Go forward to Password authentication client.
Go up to Password authenticated.
Setting up the server for password authentication
.................................................
On the server side, the file `/etc/inetd.conf' needs to be edited so
`inetd' knows to run the command `cvs pserver' when it receives a
connection on the right port. By default, the port number is 2401; it
would be different if your client were compiled with `CVS_AUTH_PORT'
defined to something else, though.
If your `inetd' allows raw port numbers in `/etc/inetd.conf', then
the following (all on a single line in `inetd.conf') should be
sufficient:
2401 stream tcp nowait root /usr/local/bin/cvs
cvs -b /usr/local/bin --allow-root=/usr/cvsroot pserver
The `-b' option specifies the directory which contains the RCS
binaries on the server. You could also use the `-T' option to specify
a temporary directory.
The `--allow-root' option specifies the allowable CVSROOT directory.
Clients which attempt to use a different CVSROOT directory will not be
allowed to connect. If there is more than one CVSROOT directory which
you want to allow, repeat the option.
If your `inetd' wants a symbolic service name instead of a raw port
number, then put this in `/etc/services':
cvspserver 2401/tcp
and put `cvspserver' instead of `2401' in `inetd.conf'.
Once the above is taken care of, restart your `inetd', or do
whatever is necessary to force it to reread its initialization files.
Because the client stores and transmits passwords in cleartext
(almost--see See Password authentication security, for details), a
separate CVS password file may be used, so people don't compromise their
regular passwords when they access the repository. This file is
`$CVSROOT/CVSROOT/passwd' (see Intro administrative files.). Its
format is similar to `/etc/passwd', except that it only has two fields,
username and password. For example:
bach:ULtgRLXo7NRxs
cwang:1sOp854gDF3DY
The password is encrypted according to the standard Unix `crypt()'
function, so it is possible to paste in passwords directly from regular
Unix `passwd' files.
When authenticating a password, the server first checks for the user
in the CVS `passwd' file. If it finds the user, it compares against
that password. If it does not find the user, or if the CVS `passwd'
file does not exist, then the server tries to match the password using
the system's user-lookup routine. When using the CVS `passwd' file,
the server runs under as the username specified in the the third
argument in the entry, or as the first argument if there is no third
argument (in this way CVS allows imaginary usernames provided the CVS
`passwd' file indicates corresponding valid system usernames). In any
case, CVS will have no privileges which the (valid) user would not have.
It is possible to "map" cvs-specific usernames onto system usernames
(i.e., onto system login names) in the `$CVSROOT/CVSROOT/passwd' file
by appending a colon and the system username after the password. For
example:
cvs:ULtgRLXo7NRxs:kfogel
generic:1sOp854gDF3DY:spwang
anyone:1sOp854gDF3DY:spwang
Thus, someone remotely accessing the repository on
`chainsaw.yard.com' with the following command:
cvs -d :pserver:cvs@chainsaw.yard.com:/usr/local/cvsroot checkout foo
would end up running the server under the system identity kfogel,
assuming successful authentication. However, the remote user would not
necessarily need to know kfogel's system password, as the
`$CVSROOT/CVSROOT/passwd' file might contain a different password, used
only for CVS. And as the example above indicates, it is permissible to
map multiple cvs usernames onto a single system username.
This feature is designed to allow people repository access without
full system access (in particular, see See Read-only access);
however, also See Password authentication security. Any sort of
repository access very likely implies a degree of general system access
as well.
Right now, the only way to put a password in the CVS `passwd' file
is to paste it there from somewhere else. Someday, there may be a `cvs
passwd' command.