[cvsnt] Re: :sserver: setup.

Mike Wake mike.wake at thales-tts.com
Fri Jul 8 17:03:16 BST 2005 

Tony Hoyle wrote:
 > Mike Wake wrote:
 >
 >> <quote from http://www.cvsnt.org/wiki/InstallationLinux>
 >> In addition to these steps, the /etc/cvsnt/cert.pem file must be made
 >> available to the clients.
 >> </quote>
 >
 >
 > That's really a bit misleading - the ca.pem is installed as part of the
 > standard installation and editing ca.pem isn't usually necessary.
 >
 >> How is this to be done.  Do I have to manually edit the ca.pem file
 >> /usr/local/lib/cvsnt/ca.pem ?
 >
 >
 > Not really, unless you're using your own CA.  All the standard ones are
 > in there already.  If your're running your own CA just replace it with
 > the CA certificate file (no need to keep the others).
 >
 > If you're using selfsign certificates you don't need to change it either
 > (it should exist, but it's not used in that case).
 >
 > The genkey program will compile under Unix and that'll make a working
 > selfsign certificate for simple uses.

I really have to do some research into this.  I don't have much of a 
clear idea of what you are talking about.  Good thing I am behind a 
couple of corporate firewalls as well as the one running on my server.

...some research later

Here is what I can decifer from the above and hence what I have 
subsequently tried.

...later still

This started out being a bunch more questions but I think I have worked 
it out, well got it working at least.  (There are some questions at the 
bottom ).

I found the genkey program you were talking about in the source 
distribution.
I compiled it using make.
I ran it as root by typing
"./genkey /etc/cvsnt/cvsnt-default.pem"


I noted that The /etc/cvsnt/PServer.sample file contains this
#
# CertificateFile  PEM certificate for use with sserver
# PrivateKeyFile   PEM certificate for use with sserver
#
#CertificateFile=/etc/cvsnt/cert.pem
#PrivateKeyFile=/etc/cvsnt/key.pem

On windows it looks like the "C:/Program Files/cvsnt/cvsnt-default.pem" 
gets generated using genkey and both registry entries CertificateFile 
and PrivateKeyFile point to this file.

Therefore I changed the directives in /etc/cvsnt/PServer to
CertificateFile=/etc/cvsnt/cvsnt-default.pem
PrivateKeyFile=/etc/cvsnt/cvsnt-default.pem

sudo ls -l /etc/cvsnt/default-cvsnt.pem
-r--------  1 root root 1600 Jul  8 15:05 /etc/cvsnt/default-cvsnt.pem


To prove that it works
I setup a MuckAround repository

cvs -d :local:/home/cvsuser/CVSREPOS/MuckAround init

I created a CVSROOT/admin file containing my username, cvsuser.
echo "username" > /home/cvsuser/CVSREPOS/MuckAround/CVSROOT/admin
with a blank line on the end for good measure.
echo "" >> /home/cvsuser/CVSREPOS/MuckAround/CVSROOT/admin

I checked out the CVSROOT/config file
cd ~
mkdir work
cd work
cvs -d :local:/home/cvsuser/CVSREPOS/MuckAround co CVSROOT/config

I edited the CVSROOT/config file and changed SystemAuth to No
SystemAuth=No
(Note: You may not have to, or want to do this.  The reason I did is 
that I want to login to a cvsnt server that is running on a WinXP box 
which is in a firewalled but poorly setup workgroup and not a domain.  I 
am in a domain and have been unable to get sspi working.  I don't want 
to use pserver and getting ssh working on windows looks like too much 
hard work. ....Silly me thought that I might as well experiment first 
with my Linux server to iron out any problems.)

Anyway...
cd ~/work/CVSROOT/
cvs commit config

Now to set up a user and a passwd
cvs -d :local:/home/cvsuser/CVSREPOS/MuckAround passwd -a cvsuser
Adding user cvsuser
New password: **********
Verify password: **********

Now setup /etc/xinetd.d/cvsnt
service cvspserver
{
         disable        = no
         socket_type    = stream
         wait           = no
         user           = root
         group          = root
         log_type       = FILE /var/log/cvspserver
         env            = 'HOME=/home/cvsuser/CVSREPOS'
         passenv        = PATH
         server         = /usr/local/bin/cvs
         server_args    = authserver
}

And in /etc/cvsnt/PServer
Repository0=/home/cvsuser/CVSREPOS/MuckAround
Repository0Name=/MuckAround

And restart xinetd
/etc/init.d/xinetd restart

Now prove that I can login using pserver (Don't worry I will remove that 
protocol soon)

cvs -d :pserver:cvsuser at localhost:/MuckAround login
Logging in to :pserver:cvsuser at ttscvs01:2401:/MuckAround
CVS password: **********

No error messages means it worked.

Now prove it worked with :sserver.
cvs -d :sserver:cvsuser at localhost:/MuckAround login
Logging in to :sserver:cvsuser at ttscvs01:2401:/MuckAround
CVS password: **********

No error messages means it worked.
YAY!!!!

.Questions........................

Now is this correct, secure?
Should I really split the cvsnt-default.pem file into cert.pem and key.pem?
Where does self signing a certificate come into this?
Where does ca.pem come into this for that matter?


 >> If I get this going I promise to update the InstallationLinux
 >> instructions for :sserver: on the Wiki.  Tony can you please enable my
 >> account, MikeWake, with write access.
 >>
 > Already have done.
I still can't edit InstallationLinux
I have logged out.
closed my browser.
Logged back in.
Successfully changed some of my user preferences.
But when I try to edit the InstallationLinux page I get
a "You are not allowed to edit this page."

Cheers
Mikew

More information about the cvsnt mailing list