MFhome.net - Marcus' HomeSitemap|Contact

CVS help - Configuration for use via SSPI

Diese Seite wurde zuletzt am 09.07.2004 geändert.

You can start using cvs just now, but I prefer to configurate it, only for security reasons. Note: The configuration explained on this page is for use with :sspi: only. For other protocols you probably have to change some things.

When you start using, sspi will accept connections from all system users that authenticate against the system (local or domain). If you don't want to change this you can go on with the usage. But often this is not really what we want, instead we want to use the same mechanism as is used with :pserver:. Here the CVSROOT/passwd file limits the logins accepted by CVSNT to those mentioned in the file. With :sspi: this is quite possible.

We'll also define an account that should be CVS administrator.

Limiting user access with sspi

If you want only some system users to be allowed to connect to CVS-server you have to list their account login names in the passwd file. You also have to set a parameter, so let's see. Note: You have to be logged in as a member of windows administrative group.

  1. Open the commandline and enter 
    set cvsroot=:sspi:<computername>:/<repository>
    e.g.: 
    set cvsroot=:sspi:fuchs:/testrep
  2. Add a new user with the passwd-command 
    cvs passwd -a <newuser>
    e.g.: 
    cvs passwd -a Administrator
    Administrator is the Account known to Windows. [ 1 ] Why is there the parameter -a?
  3. You should see something like 
    Adding user Administrator@fuchs
New password:
  4. Just press Enter, while sspi does not need a password, read [ 2 ] for an explanation. And on 
    Verify password:
    also just press enter.
  5. If you see a message like 
    cvs [server aborted]: Only administrators can add or change another's password
    you are not logged in as an administrator.
  6. This is optional, read [ 3 ].

Just now everyone could connect to our CVS-server, so finally we have to edit a file named config. To edit this file we have to checkout our first module - CVSROOT. Lets use the first time CVS.

  1. Create a directory you want to have your local copies in. 
    mkdir <Your Sandboxdirectory>
    e.g.: 
    mkdir sandboxes
    And change to it 
    cd sandboxes
  2. Checkout CVSROOT [ 4 ] with following command 
    cvs co CVSROOT
    You should see an output like this: 
    cvs server: Updating CVSROOT
U CVSROOT/checkoutlist
U CVSROOT/commitinfo
U CVSROOT/config
U CVSROOT/cvswrappers
U CVSROOT/editinfo
U CVSROOT/loginfo
U CVSROOT/modules
U CVSROOT/notify
U CVSROOT/rcsinfo
U CVSROOT/taginfo
U CVSROOT/verifymsg
cvs server: Updating CVSROOT/Emptydir
  3. Change to the newly created directory 
    cd CVSROOT
  4. Enter 
    edit config
    which opens config in an editor. You can open this file with any texteditor as well.
  5. Simply add a new line and type 
    SystemAuth=no
  6. Save and close the file.
  7. Commit your changes to the repository. Therefor first enter 
    cvs status -q
    For an explanation see [ 5 ]. You'll see a message like 
    cvs server: Examining .
File: checkoutlist      Status: Up-to-date
File: commitinfo        Status: Up-to-date
File: config            Status: Locally Modified
File: cvswrappers       Status: Up-to-date
File: editinfo          Status: Up-to-date
File: loginfo           Status: Up-to-date
File: modules           Status: Up-to-date
File: notify            Status: Up-to-date
File: rcsinfo           Status: Up-to-date
File: taginfo           Status: Up-to-date
File: verifymsg         Status: Up-to-date
cvs server: Examining Emptydir
  8. To commit your changes enter: 
    cvs ci -m<Log message>
    e.g.: 
    cvs ci -m"SystemAuth were set to no"
    The output should look like: 
    cvs commit: Examining .
cvs commit: Examining Emptydir
Checking in config;
/testrep/CVSROOT/config,v  <--  config
new revision: 1.2; previous revision: 1.1
done
cvs server: Rebuilding administrative file database
  9. Done. Now noone could connect to CVS-server if he isn't noted in passwd.

Administrating the repository, users with admin rights

As you could read above: By default only users of the windows administrative group could add a new user to CVS. That's because of no other definition, and therefor the system admin(s) are taken as CVS admin(s). But with editing a file called admin you can define the system user(s) that should be CVS admin(s). This file has to be edited directly on the server and should not be handled via CVS.

  1. Create a textfile called "admin" in CVSROOT\
  2. Enter every Account, that should be allowed to administrate CVS, to a seperate line. After that it could look somethink like this: 
    #CVSROOT\admin
Tony
Bo
#This is an example only.
    In the above example only the two accounts "Tony" and "Bo" could administrate CVS. Lines starting with "#" are comments.
  3. Save and close the file.

That's it, configuration is done and we can now start using our own CVS-server.

[1] To get help for a command just enter cvs -H <command>.
Try it with cvs -H <passwd> and you'll see why we used -a.

[2] Note that there is no need for entering passwords, sspi uses the system login and the passwd file is only used as a list of accepted users.

[3] With the steps b to d you can always add a user, if you are a CVS admin.

[4] CVSROOT is a module like any other you could add later on, but with files used by CVS.

[5] You should always do this before commit changes. I recommend you to read the installed docs.

Remember: I tested this, where Server and Client are running the same machine with Windows 2000 Pro.