UBUNTU - CHROOTED ANONCVS SETUP


Description
~~~~~~~~~~~
This paper describes how to setup a chrooted account on your Ubuntu server
to provide anonymous ssh access to your CVS repository.
Note that the general course of action may be applicable to other Linux
distributions and operating systems as well, but I haven't tried.

Disclaimer
~~~~~~~~~~
Only perform the following instructions if you know what you are doing.
Please beware, that following the procedures outlined in this document may
affect the stability and/or security of your system. Use the information
provided by this document at your own risk.

Setup
~~~~~

STEP 1) Download, compile and install the anoncvssh shell.

   $ curl http://www.openbsd.org/anoncvs.shar | sh
   $ gcc -o anoncvssh anoncvssh.c
   # install -m 4111 anoncvssh /usr/local/bin/
   # echo /usr/local/bin/anoncvssh >> /etc/shells

   In the downloaded shell archive, there is a README file targeted to
   OpenBSD users, but it is worth reading nonetheless.

STEP 2) Add the anoncvs user and create the chroot environment

   # adduser --shell /usr/local/bin/anoncvssh --disabled-password anoncvs
   # debootstrap `lsb_release -sc` ~anoncvs/
   # chroot ~anoncvs
   chroot# apt-get update && apt-get install cvs
   chroot# exit
   # cat /etc/passwd|grep ^anoncvs: >> ~anoncvs/etc/passwd
   # cat /etc/shadow|grep ^anoncvs: >> ~anoncvs/etc/shadow
   # mkdir ~anoncvs/cvs

STEP 3) Create a cron script to keep the tree up to date

   # cat <<EOF >/etc/cron.hourly/sync-anoncvs.sh
   > #!/bin/sh
   > rsync -rtv --delete --exclude '#cvs.*' /cvsroot/ ~anoncvs/cvs/
   > EOF
   # chmod a+x /etc/cron.hourly/sync-anoncvs.sh
   # sh /etc/cron.hourly/sync-anoncvs.sh

STEP 4) Put the following lines at the top of /etc/pam.d/common-auth

   auth [success=ignore default=1] pam_succeed_if.so user = anoncvs
   auth [success=2 default=1]      pam_unix.so nullok

   In Ubuntu 10.10, per default login with empty password is forbidden. That
   lines, allows for the user anoncvs (and only for the user anoncvs) to log
   in without password.

   Set the "PermitEmptyPassword yes" option in your sshd config to allow
   passwordless logins via ssh.

   # /etc/init.d/ssh restart

STEP 5) Test your setup

   $ cvs -danoncvs@localhost:/cvs checkout yourmodule

   Congratulation! You now have your own AnonCVS server.


Author
~~~~~~
Martin Natano <natano@natano.net>

Links
~~~~~
Web: http://www.natano.net/


    $Id: ubuntu-anoncvs.txt,v 1.5 2011-02-15 18:42:23 natano Exp $