Intevation » FreeGIS » GRASS » CVS server » CVS write access (Howto)

GRASS CVS write access with ssh -- HOWTO

Write access to the server is granted to everyone actively coding or helping with documentation in the project (please talk to the development manager). If you are granted access, follow the instructions.

We use using ssh (version 1 or 2) to transfer files to and from the server. Follow these steps:

Mail IP address(es) and public ssh key

If you already have a ssh keypair and still remember the keyphrase, mail the public part to the CVS administrator(s). At time of writing this is Bernhard Reiter, see email address below on this page or the admins at Intevation, if Bernhard is not available. The public key part is usually in the "~/.ssh/identity.pub" or "~/.ssh/id_dsa.pub" file

Otherwise create a fresh personal ssh keypair. E.g. use the ssh-keygen of the openssh package, like "ssh-keygen -t dsa" or consult its manual page. This will create a ssh version 2 DSA keypair.

Also mail the IP or IPs you will use to connect to the server. The server administrator will use them to further restrict access. If you do not have a fixed IP or domain name you also also send the range of IPs you might get in case of a dynamic IP or the IP(s) your ISP uses for masquerading. This raises the security level in cases your secret key gets stolen, but it is not mandatory.

Configure CVS options

The GRASS CVS server uses an unusual port number. There are two methods to solve this. Choose one.

Use ssh configuration options (alternative 1)

This method is reported to work with modern openssh versions. (Check your ssh manpage about what your ssh can do. For openssh: ssh -V and man ssh_config should inform you. We use OpenSSH_3.5p1 at time of writing (Feb 2003).)

Just create an alias name for the GRASS CVS hostname and make openssh use the right port for it. E.g. add the following to your ~/.ssh/config: (Uncomment the last line if you use an old ssh1 key with modern openssh.) 

Host grasscvs
	HostName cvs.intevation.de
	ForwardX11 no
	ForwardAgent no
	Port 2402
        #Protocol 1
Now use this alias for the CVSROOT and specify ssh (without using a wrapper), e.g. in bash: 
    export CVSROOT=:ext:yourcvsid@grasscvs:/grassrepository
    export CVS_RSH=ssh

Use an ssh wrapper (alternative 2)

A little shell script can call ssh with the right port number from cvs. Write the following lines in a file somewhere.
Example filename: "ssh2402" 
    #!/bin/sh
    ssh -p 2402 $*
(Use "-1" as option to ssh if you are using an ssh1 key with a modern openssh.)

Make sure that you can execute it: 

    chmod u+x ssh2402

Hint: You can also place this file in any subdirectoy or use a hidden file name (starting with a dot under unix).

Point CVS to the server and tell it to use the wrapper. Setting the environment variables is one possibility. It depends on your shell. This is the example for bash: 

    export CVSROOT=:ext:yourcvsid@cvs.intevation.de:/grassrepository
    export CVS_RSH=/home/yourname/.ssh2402

Note that you need to give the full path to the shellscript for CVS_RSH. "yourcvsid" is the example user id, please use the user id the server administrators issued for you.

CVS hints

Hint: We usually place setting the CVSROOT and CVS_RSH in a little file e.g. "setgrasscvs" and source it, when we plan to use CVS. Sourcing is done by the dot command in bash like: 
	. setgrasscvs

Remember that CVS uses the EDITOR (and maybe the VISUAL) environment variable to call your favourite editor like many unix commands. Therefore you can change the editor used with these environment variables.
Example: 

    export EDITOR=joe

You may want to start the ssh-agent once per computer session and give it your secret ssh RSA key so you do not need to enter the passphrase each time.
Example: 

    eval `ssh-agent` 
    ssh-add
Enter your passphrase, ssh-add should respond with "Identity added...".

Run "cvs"

If everything went okay you should be able to run "cvs" as if your were local.

Now try to check out the README file to see if it works: 

    cvs checkout grass6/README

and enjoy SSH-CVS.

Troubleshooting

Well check your network connection first. :) Can you still reach http://intevation.de? Check what cvs is doing, by utilising the "-t" flag: 
    cvs -t checkout grass6/README
This command should use the right server and port as configure with one of the methods above. If it fails, check the debug output of ssh: 
	echo version | ssh -v -p 2402 cvs.intevation.de -l yourcvsid
It should connect and give you the version number of the cvs server. (Try adding the "-1" protocol flag to ssh, if you have a modern openssh and a version 2 key around but want to use the version 1 key.)

Include the output of these cvs and ssh test commands if you report difficulties and you do not have a more specific idea about the area of the problem.

Cannot checkout or add files

Remember to use the ssh-cvs method exclusively now. Stop using the pserver readonly access. Mixing both methods in the same directories is a problem. You need to checkout at least the directory you want to work in with write access in a clean spot on your local computer.

Implementation notes

Because the sshd running for GRASS is working in a chroot() environment, it also uses a different public key. So do not be alarmed if you get a warning from ssh when you connect and tried to connect to the same grass server using ssh before.

X11 forwarding and agent forwarding is turned off on the server side. Warnings about this can be ignored.

Bernhard Reiter <bernhard@intevation.de>