Closed Bug 58251 Opened 25 years ago Closed 21 years ago

make cvs-over-SSH access easy to use and encourage conversion

Categories

(mozilla.org Graveyard :: Server Operations, task, P3)

Product:
mozilla.org Graveyard
Component:
Server Operations
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dmosedale, Assigned: myk)

References

Details

The sourceforge folks have some already setup packages, at least from windows, for using CVS-over-SSH. We should test those out and perhaps link to them. This depends on despot supporting user-management of this sort.
Status: NEW → ASSIGNED
Depends on: 58246
There now appears to be a Mac client that supports portforwarding at <http://www.macssh.com>. Thanks to Ben Bucksch for the pointer. We need to test this with MacCVS.
Mass reassign of mozilla.org infrastructure bugs, as I'm switching groups to work on LDAP integration in Mozilla full-time.
Assignee: dmose → endico
Status: ASSIGNED → NEW
teratermpro w/ ttssh supports port forwarding for windows.
Keywords: helpwanted
This would be very nice to have and is fairly easy to setup. The main disadvantage is that every user with cvs access needs to have an account on the cvs server. You don't need to run pserver or any other daemons except for ssh. At least this is how the openbsd guys do it. Then you just export CVSROOT=user@cvsserver:/cvsroot and CVS_RSH=/usr/bin/ssh and it works like normal except it is using ssh to encrypt it. It is also possible to have anoncvs over ssh also using a chrooted shell that the OpenBSD guys wrote for that purpose. I've got this working on my box btw, with the oopsbot/mozbot source code available over ssh.
Dawn: could the work for this be done at the same time that we upgrade the CVS server? Gerv
timeless wrote: wincvs + ssh: <http://minimal.cx/wincvsssh.php> mac(classic)cvs + ssh: <http://sourceforge.net/docman/display_doc.php?docid=2973&group_id=1> ^ url subject to change. IMO, we should just mandate CVS over SSH, getting rid of write access using pserver. Just a few revealed passwords are enough...
FYI, you can even do that without giving the users a full shell on the server! http://bugzilla.mindrot.org/show_bug.cgi?id=479 Perhaps you want to add a description of this to http://www.mozilla.org/README-cvs.html? (David is the zzh.c there the OpenBSD shell you are referring to or do you have any other links for that?) I support David's idea to also offer anoncvs over ssh: How about making this possible and documenting it in http://www.mozilla.org/cvs.html? P.S.: Astonishingly, one neighbouring community wasn't particularly receptive to the idea of them promoting to progress from "privacy as an exception" to a "privacy by default" priniciple even though it is already working there (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16601). Others appear to be one step ahead http://www.openbsd.org/anoncvs.html.
The source and instructions for anoncvs over ssh: http://www.openbsd.org/anoncvs.shar Also the paper: http://www.openbsd.org/papers/anoncvs-paper.ps
a password-less approach to also consider is described in http://kitenet.net/programs/sshcvs/ (probably needs a second login (e.g. anoncvs_nopass) - suggestion: provide this option too and document it in http://www.mozilla.org/cvs.html).
Since all the comments here seem to be about implementation of the server, I just thought I would point out (to head off any additional comments on the subject) that our server is already set up to be able to handle this (and there's a select few people set up for it already), but we can't encourage widespread use of it until we have an easy way to handle user management (like letting you upload your own ssh key to despot and having infrastructure on the cvs server to allow despot to create, rename, and destroy ssh accounts). Right now a shell account with anoncvssh has to be set up manually by a sysadmin, and we're not going to do that for thousands of users. :) So this bug is basically auto-fixed when bug 58246 is resolved. If someone wants to hack on despot for us, please do. :) Removing helpwanted keyword here, since bug 58246 has it, and that's where the help is actually needed.
Keywords: helpwanted
QA Contact: myk
*** Bug 175133 has been marked as a duplicate of this bug. ***
Assignee: endico → mitchell
No longer depends on: 58246
QA Contact: myk → mitchell
err.. I guess reassign to default works better if it's in the right component. :)
Assignee: mitchell → myk
Component: Miscellaneous → Server Operations
QA Contact: mitchell → justdave
Despite the lack of despot support for it, this has already been done. Getting despot support will cover the "easy to use" part.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.