Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Setting up a CVS pserver/xinetd step by step+security issues
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
dreambox
Tux's lil' helper
Tux's lil' helper


Joined: 09 Mar 2003
Posts: 137

PostPosted: Thu May 22, 2003 7:39 pm    Post subject: Setting up a CVS pserver/xinetd step by step+security issues Reply with quote

Hello,

Sorry if it looks a duplicate post. This post is a personal effort and contains also security issues using pserver connections :)

Three days ago, I had to set up a secure cvs pserver. After spending many hour reading the doc at the excellent site www.cvshome.org, I successfully set it up running it with inetd.

I know that the most secure is to use SSH connection since in pserver authentication passwords are sent in clear, but i tried to focus on the state of art of doing it. Today, I tried to set it up with xinetd but some security issues raised that i didn't solve it yet, but this setting should work very fine if u're not paranoid with security :lol:

Here are the steps I used to setup my cvs server :

1) Login as root and create a user/group cvs/cvs. Note: The repository is inside the user's home and not the user's home, this would allow you later to create many repositories as u want in the user's home ( Easier to manage )

Code:

    # groupadd cvs
    # mkdir -p /var/home/cvs
    # useradd -d /var/home/cvs -g cvs -s /bin/bash -p <cvs_passwd> cvs
    # chown -R cvs:cvs /var/home/cvs
    # su - cvs
    /> cvs -d /var/home/cvs/repository init
    /> chmod g+rwx /var/home/cvs/repository
    /> exit


2) Create users anoncvs and usercvs. anoncvs will be allowed to read repository but cannot write. usercvs will be allowed to read/write in repository

Code:

    # useradd -d /var/home/cvs -g cvs -s /bin/false usercvs
    # usermod -L usercvs        ( Lock user password )
    # useradd -d /var/home/cvs -g cvs -s /bin/false anoncvs
    # usermod -L anoncvs       ( Lock user password )


3) We want to use pserver authentication and don't want cvs to fallback to system authentication when user doesn't exist. Doing this, we are trying to secure at maximum access to cvs :). Here are the steps:

We have to store users and encrypted passwords in /var/home/cvs/repository/CVSROOT/passwd

Using ur favourite editor, add entries of this form in /var/home/cvs/repository/CVSROOT/passwd:

<cvs_user>:<encrypted_password>:<unix_user>

We encrypt cvs user's password using this well known perl script:

Code:

#!/usr/bin/perl
 
srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);
 
print "${crypttext}\n";


You can create for example a bin directory in cvs home, copy and paste the script to file cryptout in that directory. Then chmod +x cryptout and add $HOME/bin to PATH variable in file .bash_profile. Syntax of cryptout is:

cryptout <clear_text_password>

it'll produce an encrypted password as the ones stored in /etc/passwd.

Here an example of passwd file:


james:qPd3FRr4r3ln2:usercvs
dreambox:AGJaHG3LxpYoA:usercvs
anoncvs::anoncvs


Typical scenario, users james and dreambox would have read/write access to the repository, and anoncvs would have only read access without having to enter a password.

Note: In practice james and dreambox don't exist in the system as unix users, they are virtual cvs users.

To disable cvs to fallback into system authentication when user doesn't exist we have to modify the file under /var/home/cvs/CVSROOT/config.

To set read/write permissions in repository we have to create 2 files ( readers and writers ) also under /var/home/cvs/CVSROOT. Users in readers file are only allowed to read repository. Users in writers are allowed to read/write in repository.

config, readers, writers have to be versionned, so first we checkout module CVSROOT :

Code:

/> cvs -d /var/home/cvs/repository co CVSROOT

cvs server: Updating CVSROOT
U CVSROOT/checkoutlist
U CVSROOT/commitinfo
U CVSROOT/config
U CVSROOT/cvswrappers
U CVSROOT/editinfo
U CVSROOT/loginfo
U CVSROOT/modules
U CVSROOT/notify
U CVSROOT/rcsinfo
U CVSROOT/taginfo
U CVSROOT/verifymsg


Uncomment line #SystemAuth=no . This will inform cvs to not check in /etc/passwd when user doesn't exist in CVSROOT/passwd

Code:

/> echo james > writers
/> echo dreambox >> writers
/> echo >> writers        ( We have to add new line after adding last user )

/> echo anoncvs > readers
/> echo >> readers       ( We have to add new line after adding last user )

/> cvs -d /var/home/cvs/repository add readers writers
cvs server: scheduling file `readers' for addition
cvs server: scheduling file `writers' for addition
cvs server: use 'cvs commit' to add these files permanently

/> cvs -d /var/home/cvs/repository ci -m "Updated administration files"
cvs commit: Examining .
Checking in config;
/var/home/cvs/repo/CVSROOT/config,v  <--  config
new revision: 1.2; previous revision: 1.1
done
RCS file: /var/home/cvs/repo/CVSROOT/readers,v
done
Checking in readers;
/var/home/cvs/repo/CVSROOT/readers,v  <--  readers
initial revision: 1.1
done
RCS file: /var/home/cvs/repo/CVSROOT/writers,v
done
Checking in writers;
/var/home/cvs/repo/CVSROOT/writers,v  <--  writers
initial revision: 1.1
done
cvs commit: Rebuilding administrative file database


Now, we setup xinetd :

Edit as root file /etc/xinetd.d/cvspserver. Mine looks like this :

Code:

service cvspserver
{
        disable            = no
        socket_type        = stream
        wait               = no
        user               = root
        log_type           = FILE /var/log/cvspserver
        protocol           = tcp
        env                = '$HOME=/var/home/cvs'
        log_on_failure     += USERID
        port               = 2401
        server             = /usr/bin/cvs
        server_args        = -f --allow-root=/var/home/cvs/repository pserver
}


Save modification to file end execute the following to start xinetd at boot time ( If it is not set yet ):
Code:

# rc-update add xinetd boot


Congratulations if u arrived here :D , now it should work fine after a reboot or ( /etc/init.d/xinetd start for those who are in a hurry to test ) :

Your can start testing security by trying to import a directory as anoncvs for example ( cvs will not allow u ) :

Code:

/> mkdir project
/> cd project
/> touch dreambox
/> cvs -d :pserver:anoncvs@localhost/var/home/cvs/repository login  ( Press return when asked a password )
/> cvs -d :pserver:anoncvs@localhost/var/home/cvs/repository import -m "Trying to import" myproject vendor start


You should see something like this on ur screen :
Code:

cvs server: cannot open /var/home/cvs/repository/CVSROOT/readers: Permission denied
cvs [server aborted]: "import" requires write access to the repository


OK, know, I'd like to discuss another security issue which is giving me headaches :

The files CVSROOT/*info can be used to execute programs such as sendmail to notify some users of an update, commit,... The thing is that one malicious guy ( such as james or dreambox ) who has write access to repository can checkout CVSROOT and add entries in that files to execute a malicious program and gain access to private ressources in the system !!! :twisted:. So, I decided to re-enforce security by creating another unix group ( admincvs ). All users in that group and only that users have read/write access to CVSROOT ( Of course these users should be trustable in their intentions :roll: ). Users in the group admincvs should only read and update CVSROOT module. Allowing them to import other modules that are intented to be shared would forbid other users ( running as usercvs ) to update those modules...

OK, here it is:

We create admincvs group and admincvs user :
Code:

# groupadd admincvs
# useradd -d /var/home/cvs -g cvs -s /bin/false admincvs
# usermod -L admincvs        ( Lock user password )



We change the group owner of CVSROOT directory and disable
read/write/exec access to that directory to other users
Code:

# cd /var/home/cvs/cvsrepository
# chgrp -R admincvs CVSROOT
# chmod o-rwx CVSROOT


add the following entry to CVSROOT/passwd ( using bin/cryptout perl program to crypt password ):
Code:

admincvs:<crypted_passwd>:admincvs


Lets test it. Try to checkout CVSROOT as a normal user who has read/write access to repository but not to CVSROOT :

Code:

/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository login  ( Enter password when asked )
/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository co CVSROOT


You should get the following message:
Code:

Cannot access /var/home/cvs/repo/CVSROOT
Permission denied


Now try with admincvs:
Code:

/> cvs -d :pserver:admincvs@localhost/var/home/cvs/repository login  ( Enter password when asked )
/> cvs -d :pserver:admincvs@localhost/var/home/cvs/repository co CVSROOT


You should get this:
Code:

cvs server: Updating CVSROOT
U CVSROOT/checkoutlist
U CVSROOT/commitinfo
U CVSROOT/config
U CVSROOT/cvswrappers
U CVSROOT/editinfo
U CVSROOT/loginfo
U CVSROOT/modules
U CVSROOT/notify
U CVSROOT/rcsinfo
U CVSROOT/readers
U CVSROOT/taginfo
U CVSROOT/verifymsg
U CVSROOT/writers


Then, you would ask me: What's ur problem dreambox, everything is working fine :lol:, but then I would ask u to try to import a directory as user who has read/write access to repository ( james o dreambox ) :
Code:

/> mkdir test
/> cd test
/> touch test.file
/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository login  ( Enter password when asked )
/> cvs -d :pserver:dreambox@localhost/var/home/cvs/repository import -m "I want to import" test vendor start


You should get the following:
Code:

Cannot access /var/home/cvs/repo/CVSROOT
Permission denied


Now, I would ask what the hell I did wrong ?

Code:

/> ls -l repository
drwxrwx---    3 cvs      admincvs     1224 May 22 20:21 CVSROOT



Something I don't understand : xinetd is running as root. When xinetd receives a login request it creates a cvs process with usercvs uid, right?
Since usercvs user is the owner of CVSROOT, it should normally have access to that directory!


Thanks for reading all this :D, I know, It was long and maybe redundunt :oops:

I would appreciate any feedback :idea:

Regards
dreambox
_________________
Toshiba Tecra 8200
PIII 750Mhz 512Mb 20Gb Hdd
Trident CyberBladeXP 16Mb

Windows Where do you want to go today? MacOS Where do you want to be tomorrow? Linux Are you coming...
Back to top
View user's profile Send private message
mog
Apprentice
Apprentice


Joined: 05 Jul 2003
Posts: 253
Location: Auckland [NZ]

PostPosted: Thu Aug 14, 2003 9:33 pm    Post subject: Reply with quote

great post ... thumbs up ... :lol:

maybe you could add how to run cvs over ssh :wink:
_________________
To thine own self be true.
Back to top
View user's profile Send private message
MrPyro
Tux's lil' helper
Tux's lil' helper


Joined: 14 Aug 2003
Posts: 121
Location: Sheffield, England

PostPosted: Fri Aug 15, 2003 11:58 am    Post subject: Reply with quote

dreambox said:
Quote:

Now, I would ask what the hell I did wrong ?
Code:


/> ls -l repository
drwxrwx---    3 cvs      admincvs     1224 May 22 20:21 CVSROOT

Something I don't understand : xinetd is running as root. When xinetd receives a login request it creates a cvs process with usercvs uid, right?
Since usercvs user is the owner of CVSROOT, it should normally have access to that directory!


I think the problem is that to import a new module, you need to write to CVSROOT, to add the new module to the modules file. In your setup, therefore, only admincvs can import a new module, but james or dreambox should be able to commit changes.
_________________
Back off man, I'm a computer scientist
Back to top
View user's profile Send private message
mog
Apprentice
Apprentice


Joined: 05 Jul 2003
Posts: 253
Location: Auckland [NZ]

PostPosted: Sat Aug 16, 2003 12:19 am    Post subject: mhh ... Reply with quote

I have followed your post pretty much as you said except for the fact that my repsitory is under /data/cvs/mog/ and the CVSROOT directory under /data/cvs/mog/CVSROOT/, however when I try to connect using either

Code:
cvs -d :pserver:guest@localhost/data/cvs/mog login


or

Code:
cvs -d :pserver:guest@localhost/mog login


it fist prompts me for a password (I just press enter cause guest maps to anoncvs) and then it tells me

Code:
/path/to/repository/ : no such repository

_________________
To thine own self be true.
Back to top
View user's profile Send private message
MrPyro
Tux's lil' helper
Tux's lil' helper


Joined: 14 Aug 2003
Posts: 121
Location: Sheffield, England

PostPosted: Sat Aug 16, 2003 6:07 am    Post subject: Reply with quote

I don't know if it's just a typo you've written on here, but there should be a colon between localhost and the path in that cvsroot definition
Code:

cvs -d :pserver:guest@localhost:/data/cvs/mog login

_________________
Back off man, I'm a computer scientist
Back to top
View user's profile Send private message
EvilCHELU
n00b
n00b


Joined: 24 May 2003
Posts: 5

PostPosted: Sat Aug 16, 2003 2:31 pm    Post subject: Reply with quote

mog:
check if you have the following in your /etc/xinetd.d/cvspserver file
Code:

server_args        = -f --allow-root=/data/cvs/mog pserver



mrpyro:
i found that it works without to column too, even tho the command syntax says it should be there
_________________
You'll Never Walk Alone.
Back to top
View user's profile Send private message
mog
Apprentice
Apprentice


Joined: 05 Jul 2003
Posts: 253
Location: Auckland [NZ]

PostPosted: Sun Aug 17, 2003 5:18 am    Post subject: Reply with quote

well I am not entirely sure as to what exactly happened, but I went through the procedure again ... and now ... I can logon ... weird ... but thx anyway

however, what I did now is that I created a new directory in the repository and tried to check it out while I am logged in ... but I get the following error

setuid failed: Operation not permitted

any idea where that could come from ... ???
_________________
To thine own self be true.
Back to top
View user's profile Send private message
orb9
Tux's lil' helper
Tux's lil' helper


Joined: 02 Sep 2002
Posts: 82
Location: Germany

PostPosted: Thu Aug 21, 2003 10:38 pm    Post subject: Reply with quote

to dreambox: :lol: superb post :wink:
to mog:I had some similiar problem. I got:
setgid failed: Operation not permitted

I found the source of trouble in /etc/xinet.d/cvspserver. Mine looked like this (watch user and group. in dreambox initial post user is root. mine was cvs)
Code:

service cvspserver
{
   disable      = no
   socket_type   = stream
   wait      = no
   user      = cvs
   group      = cvs
   log_type   = FILE /var/log/cvspserver
   protocol   = tcp
   env      = '$HOME=/home/cvs'
   log_on_failure   += USERID
   port      = 2401
   server      = /usr/bin/cvs
   server_args   = -f --allow-root=/home/cvs/repository pserver
}

So i changed user and group to root, restarted xinetd and was done :lol:

But i wanted to know, why this doesn't work with user cvs. Checked all permissions, they are all correct, everything in /home/cvs/ (i used this dir) belongs to cvs/cvs and all flags are set correctly.
So.. why it doesn't work with user cvs ?
_________________
"Without music, life would be a mistake - I would only believe in a god who knew how to dance." (Nietzsche)
Back to top
View user's profile Send private message
dreambox
Tux's lil' helper
Tux's lil' helper


Joined: 09 Mar 2003
Posts: 137

PostPosted: Mon Dec 15, 2003 5:22 pm    Post subject: Reply with quote

Sorry for being late to reply guys/gals. When I first posted this how-to, I used to check every day feedbacks but for some period nothing :oops: , and today by luck I was checking my posts and were very happy u liked it :D.

These last days I was reinstalling the whole gentoo, I'm gonna try cvs again but also subversion which they say is better... If someone succeed with cvs + ssh let me know please.
_________________
Toshiba Tecra 8200
PIII 750Mhz 512Mb 20Gb Hdd
Trident CyberBladeXP 16Mb

Windows Where do you want to go today? MacOS Where do you want to be tomorrow? Linux Are you coming...
Back to top
View user's profile Send private message
Thiemo
Tux's lil' helper
Tux's lil' helper


Joined: 20 Nov 2002
Posts: 138

PostPosted: Mon Dec 15, 2003 10:02 pm    Post subject: Re: Setting up a CVS pserver/xinetd step by step+security is Reply with quote

Hi,

thanks for post. I have a question regarding this perl script generating encrypted text.

dreambox wrote:
Code:

#!/usr/bin/perl
 
srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);
 
print "${crypttext}\n";



I have seen this snipped in a book and tried it out. However, feeding it with the very same term, I don't get the same output:
Code:
cvs@limbo  $ cryptout.pl test
jvvAuD7bpZwY2
cvs@limbo  $ cryptout.pl test
CiJOVUFmt6GEM
cvs@limbo  $ cryptout.pl test
ZBdG38ICoBHYo
cvs@limbo  $ cryptout.pl test
vuplQw/0Rp0dU
cvs@limbo  $ cryptout.pl test
vuplQw/0Rp0dU
cvs@limbo  $ cryptout.pl test
SNOUEr6lAxJJg
cvs@limbo  $ cryptout.pl test
SNOUEr6lAxJJg
cvs@limbo  $ cryptout.pl test
PgV8Kjke7flWE
cvs@limbo  $ cat bin/cryptout.pl
#!/usr/bin/perl

srand (time());
my $randletter = "(int (rand (26)) + (int (rand (1) + .5) % 2 ? 65 : 97))";
my $salt = sprintf ("%c%c", eval $randletter, eval $randletter);
my $plaintext = shift;
my $crypttext = crypt ($plaintext, $salt);

print "${crypttext}\n";


I cannot imagine, if the output is not reproducable, that it can be used to make passwords. Am I wrong?

Cheers

Thiemo
_________________
root ist die wurzel allen uebels
Back to top
View user's profile Send private message
dreambox
Tux's lil' helper
Tux's lil' helper


Joined: 09 Mar 2003
Posts: 137

PostPosted: Mon Dec 15, 2003 10:46 pm    Post subject: Reply with quote

I got the perl script from internet. This algorithm is the same to generate /etc/passwd, but i still don't know how user password is checked to validate it... If someone could give us some light :roll:
_________________
Toshiba Tecra 8200
PIII 750Mhz 512Mb 20Gb Hdd
Trident CyberBladeXP 16Mb

Windows Where do you want to go today? MacOS Where do you want to be tomorrow? Linux Are you coming...
Back to top
View user's profile Send private message
Thiemo
Tux's lil' helper
Tux's lil' helper


Joined: 20 Nov 2002
Posts: 138

PostPosted: Mon Dec 15, 2003 11:50 pm    Post subject: Reply with quote

Hm, I checked with the command
Code:
passwd <passwordcheckuser>
and the entries in /etc/shadow also vary! 8O

I only can immagine that for password checks the encrypted password (as in /etc/shadow) gets "unencrypted" by some means and the different encrypted solutions to one password result always in the original. That seemed to me rather questionable. :oops:

Another possibility would be that there is some cool algorith and applying it on the different encrypted "versions" as well as on the original text results always in the very same "check sum". :roll:
_________________
root ist die wurzel allen uebels
Back to top
View user's profile Send private message
ocbMaurice
Tux's lil' helper
Tux's lil' helper


Joined: 14 Feb 2003
Posts: 83
Location: Switzerland

PostPosted: Tue Dec 16, 2003 1:14 am    Post subject: Reply with quote

Hello,

I also have some problems setting up the cvs server. I'm also stuck at the "setgid/stuid error" which is quite strange and more annoying is that cvs doesn't show exactly what it wants to setgid !?? So far I found out that it has to do with the passwd/group file under the chroot jail. I was able to convert a "setgid" error to a "setuid" error ... but I defenately do not want to run cvs as root !

Anyway, I think I can answer you question according to the password. If I'm not wrong, the crypted password contains the salt as clear-text, so when it wants to match a given string, it will be crypted with the same salt and then the end-strings should be the same (hope that's correct). If I'm not wrong the salt consists of two letters.

Maurice
Back to top
View user's profile Send private message
dreambox
Tux's lil' helper
Tux's lil' helper


Joined: 09 Mar 2003
Posts: 137

PostPosted: Tue Dec 16, 2003 3:06 pm    Post subject: Reply with quote

rand(26) = a random integer between 0 and 26
rand(1) = 0 or 1

In my opinion ( Don't flame my ignorance :roll: ), It seems that we can obtain 27 * 2 = 54 possible encryptions of the same passwd. The crypt function probably uses a hash function like MD5. I beleive that we can't find out the text clear password, the algorith compares hash results.

Anyway these are my 2 cents theories, if someone knows what's going behind the scene, let us know... :D

regards
_________________
Toshiba Tecra 8200
PIII 750Mhz 512Mb 20Gb Hdd
Trident CyberBladeXP 16Mb

Windows Where do you want to go today? MacOS Where do you want to be tomorrow? Linux Are you coming...
Back to top
View user's profile Send private message
ocbMaurice
Tux's lil' helper
Tux's lil' helper


Joined: 14 Feb 2003
Posts: 83
Location: Switzerland

PostPosted: Tue Dec 16, 2003 8:34 pm    Post subject: Reply with quote

I think you understood me wrong ! I'm now 99% sure it is the way I meant :

I'll give a simple example :

Code:
$ perl -e 'print crypt("password", "sa"), "\n"'
sa3tHJ3/KuYvI
$ perl -e 'print crypt("password", "sn"), "\n"'
snf3JLX29OeF6
$ perl -e 'print crypt("password", "xyz"), "\n"'
xyAjYtmfRYx/.


So the salt that is used to encrypt the string is included as clear-text in the encrypted string. Therefore we later can do the same encryption. I personally often calculate the salt from the given password and cut the first two chars away from the encrypted string (that works just with my software, not on linux in general!). But not sure if it is more secure. The salt of course can also be randomly created.

Anyway, back to the cvsd setup. I actually managed to get it working quite easily with gentoo 1.4. I will summarize what I did :

Code:
emerge -u cvsd

* note: this will install cvs and cvsd plus a few tools we'll need later. This way we do not need xinetd. It also creates a system user cvsd and a config file under /etc/cvsd/cvsd.conf. I'll do the rest so it fits the default configuration. You simply _should_ be able to adjust the paths properly.

Code:
$ cvsd-buildroot /var/lib/cvsd/
$ mkdir /var/lib/cvsd/rep
$ cvs -d /var/lib/cvsd/rep init
$ chown cvsd. /var/lib/cvsd -R


Now we need to tell the cvsd config what repositories we use (the directories we created and inited, remember that cvs-server will run in a chroot-jail and therefore we need to reference from this root-point).

Code:
$ echo "Repos /rep" >> /etc/cvsd/cvsd.conf


Setting up the users for cvs can be done in two ways. You simply could edit etc/passwd, etc/group and maybe etc/shadow within the chroot-jail to get the users working. I recommend to only use the virtual user file and to disable the system-users for cvs completely. Altough one could say it doesn't make much difference in a chroot-jail where the /etc/passwd file is kept to a mimimum anyway. Anyway, IMHO this approach is much cleaner. To do it that way :

Code:
$ nano -w /var/lib/cvsd/rep/CVSROOT/config


There you should uncomment the second line (thxs to
dreambox for this info), so it does look like

Code:
SystemAuth=no


To manage the users for your cvs-repository you should use the cvsd-passwd utility (which hopefully has been installed by cvsd too) :

Code:
$ cvsd-passwd /var/lib/cvsd/rep/ +maurice +anoncvs +cvs


At this stage it seems that every user you created so far has read/write access. To setup the proper security model, we will create/edit the readers and writers file within the CVSROOT of our repository.

Code:
$ echo "cvs" >> /var/lib/cvsd/rep/CVSROOT/readers
$ echo "anoncvs" >> /var/lib/cvsd/rep/CVSROOT/readers

$ echo "maurice" >> /var/lib/cvsd/rep/CVSROOT/writers


You should of course change the username maurice to your own :-) Also feel free to add more users, it should be clear how to do this (add passwd and add to readers or writers). You should know, that it is a bad idea to have a username in writers and in readers. Seems you'll then just get read permission !

To test your newly configured server I recommend to start cvsd in debug mode once, to do so enter

Code:
$ cvsd -d


On a different console/pc you then can try to login :

Code:
$ cvs -d :pserver:maurice@localhost:/rep login
Logging in to :pserver:maurice@localhost:2401/rep
CVS password: **********

cvs login: warning: skipping invalid entry in password file at line 1


The only last "problem" is the last warning which really seems just a warning as the rest seems to work as it should. Now you simply need to install the cvsd rc-script (use rc-update) to get your cvs server started at boot time. Hope you also got that far and if yes, or no, let us know ! I'll now have a look at ssh logins ...

Maurice


Last edited by ocbMaurice on Mon Jan 12, 2004 5:55 pm; edited 1 time in total
Back to top
View user's profile Send private message
dreambox
Tux's lil' helper
Tux's lil' helper


Joined: 09 Mar 2003
Posts: 137

PostPosted: Wed Dec 17, 2003 3:23 pm    Post subject: Reply with quote

ocbMaurice wrote:
Hello,

I also have some problems setting up the cvs server. I'm also stuck at the "setgid/stuid error" which is quite strange and more annoying is that cvs doesn't show exactly what it wants to setgid !?? So far I found out that it has to do with the passwd/group file under the chroot jail. I was able to convert a "setgid" error to a "setuid" error ... but I defenately do not want to run cvs as root !
Maurice


Try this

Code:

service cvspserver
{
        disable            = no
        socket_type    = stream
        wait                = no
        user                = cvs
        group              = cvs
        log_type          = FILE /var/log/cvspserver
        protocol          = tcp
        log_on_failure  += USERID
        port                = 2401
        server             = /usr/bin/cvs
        server_args     = -f --allow-root=/home/cvsroot pserver
}


Code:

chmod 2755 /usr/bin/cvs


The chmod gives the application set gid permissions

Hope it helps
_________________
Toshiba Tecra 8200
PIII 750Mhz 512Mb 20Gb Hdd
Trident CyberBladeXP 16Mb

Windows Where do you want to go today? MacOS Where do you want to be tomorrow? Linux Are you coming...
Back to top
View user's profile Send private message
sankeld
n00b
n00b


Joined: 03 Oct 2002
Posts: 9

PostPosted: Thu Dec 18, 2003 8:44 am    Post subject: cvs+ssh Reply with quote

Using CVS with SSH is much easier than using it with a pserver. As long as you have a ssh deamon running[1], a remote user may simply do:

export CVS_RSH='ssh'
export CVSROOT='ext:user@someplace.net:/home/cvsroot'

And that's it! All the cvs commands should work as expected.

One can free up the coder from typing passwords all the time using ssh-agent and ssh-add with public/private keys[2]. If it works with ssh itself, it will work with cvs.

A great resource on CVS can be found at
http://av.stanford.edu/books/cvsbook/

A great resource in general is
http://www.freeprogrammingresources.com/miscbook.html

[1] Check to see that 'ps aux | grep sshd' shows a process called /usr/sbin/sshd. If it doesn't, do a `emerge ssh` and a `rc-update add sshd default`. To start the daemon without a reboot do a `/etc/init.d/sshd start`.

[2] More information on that can be found here:
https://forums.gentoo.org/viewtopic.php?t=115096
Back to top
View user's profile Send private message
Squinky86
Retired Dev
Retired Dev


Joined: 25 Mar 2003
Posts: 309
Location: Alabama, USA

PostPosted: Fri Jan 02, 2004 8:25 pm    Post subject: Reply with quote

dreambox wrote:

Code:

chmod 2755 /usr/bin/cvs


The chmod gives the application set gid permissions

Then wouldn't
Code:

chmod 4755 /usr/bin/cvs

solve the set uid problems?
_________________
Me
Back to top
View user's profile Send private message
discostu
Guru
Guru


Joined: 01 Nov 2002
Posts: 333

PostPosted: Tue Jan 13, 2004 10:54 pm    Post subject: Reply with quote

I followed your instructions and was able to login, but I got an error when doing an import
Code:
$ cvs import -m "My initial project message" testproj mycompany start
cvs import: cannot make path to /var/cvsroot/testproj: Permission denied
cvs import: Importing /var/cvsroot/testproj/testproj
cvs import: ERROR: cannot mkdir /var/cvsroot/testproj/testproj -- not added: No such file or directory
 
No conflicts created by this import


Thanks :)
_________________
"Disco Stu doesn't advertise."
Back to top
View user's profile Send private message
NiklasH
Apprentice
Apprentice


Joined: 30 Aug 2002
Posts: 211
Location: On top of something

PostPosted: Tue Jan 13, 2004 11:01 pm    Post subject: Re: cvs+ssh Reply with quote

sankeld wrote:
Using CVS with SSH is much easier than using it with a pserver. As long as you have a ssh deamon running[1], a remote user may simply do:

export CVS_RSH='ssh'
export CVSROOT='ext:user@someplace.net:/home/cvsroot'

And that's it! All the cvs commands should work as expected.

One can free up the coder from typing passwords all the time using ssh-agent and ssh-add with public/private keys[2]. If it works with ssh itself, it will work with cvs.

A great resource on CVS can be found at
http://av.stanford.edu/books/cvsbook/

A great resource in general is
http://www.freeprogrammingresources.com/miscbook.html

[1] Check to see that 'ps aux | grep sshd' shows a process called /usr/sbin/sshd. If it doesn't, do a `emerge ssh` and a `rc-update add sshd default`. To start the daemon without a reboot do a `/etc/init.d/sshd start`.

[2] More information on that can be found here:
https://forums.gentoo.org/viewtopic.php?t=115096


Yes, ssh is a piece of cake to set up (well, almost... )
I was beginning to feel I was missing something, since I didn't have those kinds of trouble setting up our ssh CVS server...
But your post calmed me! :lol:
_________________
Banana Republic
Back to top
View user's profile Send private message
daoist
n00b
n00b


Joined: 14 May 2003
Posts: 28

PostPosted: Sun Feb 29, 2004 4:22 am    Post subject: Reply with quote

dreambox wrote:
I got the perl script from internet. This algorithm is the same to generate /etc/passwd, but i still don't know how user password is checked to validate it... If someone could give us some light :roll:
Two things go into the password, the cleartext and the salt. when you make the password in the first place it randomly chooses a salt, and it stores the salt as the first two characters of the password.

To check passwords the system takes the password the user typed, encrypts it using the salt from the encryped password stored on disk, and they should match. If so, that's a success, if not, that's a failure.

Note that at no time during this procedure is the password stored in the file ever decrypted. It's really really hard to decrypt.
Back to top
View user's profile Send private message
hw-tph
l33t
l33t


Joined: 08 Jan 2004
Posts: 768
Location: Uppsala, Sweden

PostPosted: Sat May 15, 2004 11:16 am    Post subject: Reply with quote

ocbMaurice wrote:
Code:
$ cvs -d :pserver:maurice@localhost:/rep login
Logging in to :pserver:maurice@localhost:2401/rep
CVS password: **********

cvs login: warning: skipping invalid entry in password file at line 1


The only last "problem" is the last warning which really seems just a warning as the rest seems to work as it should.


To resolv this error message simply check out the passwd file and add a blank line after the last entry (so the file ends with a blank line), save the file and commit. Done. :)


Håkan
Back to top
View user's profile Send private message
crafteh
n00b
n00b


Joined: 30 Mar 2004
Posts: 29

PostPosted: Thu Feb 10, 2005 6:07 am    Post subject: Reply with quote

I followed the tutorial but I can not access the cvs from another computer. I'm trying to view a list of projects in eclipse but it says Socket Exception: Connection reset. I started up xinetd... what else do I need to do to get it to work over a network?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum