ext-to-pserver SSL bridge for CVS




Hosted by:

Project page
Write me

This is the ccvssh package. It works as a bridge to remote CVS pservers using SSL tunneling.

How CVS pserver works
The usual CVS setup looks like this:
CVS, the usual pserver setup
This is the way you use when you connect to your favorite Sourceforge or GNOME repository. It is fine for anonymous access but it is obviously insecure for authenticated access or access with write priviledges.
How pserver method can be secured
There are few ways to secure your CVS access:
sslserver method introduced by CVS SSL patch (only client, server is secured via SSL tunnel) + works fine, I have been using it for years
- not supported any more, won't patch against latest versions of CVS
- you need to recompile your client
chrooted pserver + ssh + can be fairly secure (have no personal experience)
- complex setup
ext method with CVS_RSH=ssh - requires shell accounts
cvssh + nice approach, uses ext method and SSL tunnel; this code inspired ccvssh
+ no need to recompile your client CVS binary
+ has very nice homepage that will help you understand how cvssh and ccvssh work, definitelly worth seeing
+ should run on Windows, too (is that an advantage? :)
- written in Python, slow and hangs up occasionally
How ccvssh works
ccvssh (as well as cvssh) uses the ext method. CVS invokes ccvssh that will secure the channel between client and server by the means of SSL tunnel. On the server side stunnel accepts connection and forwards it to the pserver method of CVS server.
CVS with ccvssh
Where do I get it?
See the SourceForge project homepage.
How do I set it up?
First of all, you have to compile and install ccvssh. It's the usual sequence:
tar xvzf ccvssh-VERSION.tar.gz
cd ccvssh-VERSION
make install
  1. Install and run stunnel on the server side. I recommend port 2405, this convention was introduced by CVS SSL patch.

    Making it run should be as easy as putting the following line to your startup scripts (assuming cvs pserver is running on port 2401, see CVS manual):

    /path/to/stunnel -d 2405 -r 2401 -p /path/to/pemfile -P /path/to/pidfile
  2. Set your environment variables on the client side:
    export CVSROOT
    export CVS_RSH
  3. Log in:
    ccvssh login
  4. Use CVS as you are used to, e.g.
    cvs co module
What if I want other information about how it works?
You should see the wonderful cvssh homepage. Or read the source, it's not long.
Can I help?
Yes, you can! Look for strings TOFIX or TODO in the code. There are still few things to do :)
Contact information
See the homepage or write to me.
Jan Fedák, 2002