cvssh:
a secure bridge
for cvs pservers

by Michal J Wallace
of Sabren Enterprises, Inc
0121.2002

cvssh at a glance

The cvs pserver option is a useful but insecure tool for managing cvs repositories. Most approaches to securing cvs either involve ssh tunneling or avoid pserver altogether. The cvssh program offers a third alternative, which combines the simplicity of ext on the client with the flexibility of a pserver-based repository.

background

This all started while I was researching cvs security for my company's cvs hosting plans. I decided to use a secure pserver, or password authenticating server. I like pserver because it lets each repository have its own set of users, and those users don't need to have their own shell accounts on the server.

There are actually several other ways to access cvs:

The ext method is interesting, because it lets you specify an external program for connecting to the repository. By default, that program is RSH (remote shell), but usually, people change this to ssh (secure shell) because it encrypts your data as it moves across the net.

A basic pserver setup has no encryption, which is one reason it's insecure. Most schemes to secure pserver involve setting up ssh to listen on the local cvspserver port (2401) and securely forward connections to the cvspserver port on the real server. This is called tunnelling.

The tunnelling concept is a good one, but it can be somewhat confusing for users to set up, and it still requires at least one shell account to work.

I wanted something that would be simpler for my customers to set up, so I came up with my own tunnelling scheme that does not rely on ssh port forwarding.

how it works

The cvssh concept is pretty simple. In fact, the initial implementation took less than 200 lines of python code - most of it comments. Here's an step-by-step walkthrough of the system, following the above diagram from left to right:

1. The developer logs in: cvssh user@remotesystem:/cvsroot login
2. cvssh prompts the developer for a password, tests it against the server (by logging in and trying it), and either prints an "ACCESS DENIED" message or saves the password to ~/.cvspass
3. The developer sets his or her CVS_RSH environment variable to cvssh
4. He or she then runs cvs -d:ext:user@remotesystem:/cvsroot (command)
5. cvs starts "cvssh -l user remotesystem cvs server" as a child process
6. cvssh reads the password from ~/.cvspass.
7. cvs, duped into thinking it has connected to a real cvs server instance, sends cvssh the command Root /cvsroot.
8. At this point, cvssh has everything it needs to connect to the pserver. It opens an SSL connection to remotesystem on the cvssh port.
9. The remote machine has stunnel listening on that port.
10. When stunnel receives the connection, it runs cvs pserver and connects its input and output to the socket connection from the developer's machine.
11. cvssh can now talk securely to the pserver process.
12. cvssh sends the pserver login information as if the developer had actually typed -d:pserver:... instead of -d:ext:...
13. The pserver either accepts or rejects the credentials.
14. If the credentials are rejected, cvssh terminates with an "ACCESS DENIED" message.
15. Otherwise, the developer's cvs instance and the remote cvs pserver instance can now communicate freely. cvssh simply relays their messages until the transaction is complete.

download

Version 0.3 is written in python and should run on any platform that python supports.

For whatever reason, on win32, cvs -d:ext: requires that your CVS_RSH be an *.exe file. At least, my version did... So the distribution includes a precompiled cvssh.exe made with py2exe. (It's in the dist/cvssh/ directory, along with its required files.)

download cvssh-0.3.zip

Note: This is alpha software!!! I have been using 0.3 for my own development projects. The only problem I've had is that it occasionally hangs on "cvs diff".... Having said that, this code has not been extensively tested. Use with caution!

WARNING: the previous version, 0.2, had some bugs in the routines that handled .cvspass, and it would corrupt this file, possibly deleting all your saved passwords. Nothing catastrophic, but definately annoying. 0.3 fixes the problem.

help wanted

The best way to help would be to try it out and see how it works (preferably on a test repository!).

If you want to get involved, please contact me at sabren@manifestation.com. Better yet, join the cvssh list at Yahoo!

Here are several things I would like to do to improve cvssh:

• Add a 'logout' command...
• Check the server's RSA fingerprint the way ssh does.
• Port it to C. I usually prefer to stay up in the clouds with python, but in this case, I think small, fast, low-level C code might be more appropriate. I'm not much of a C programmer, though, so this is one place I could definitely use some help!

I'm sure there's plenty of other ways this could be made better. Why not join the list and share your ideas?

license

It's all GPL, baby. (GNU General Public License)

links and credits

Here's some good stuff to read:

• Pascal Molli knows all about the CVS protocol. Reading this document (as well as the CVS code itself) made the ext-pserver bridge possible.
• Everything else I ever needed to know about cvs, I learned from Karl Fogel
• stunnel.org is the home page for stunnel, which has plenty of other great uses!
• cvsd makes it easier to run a pserver in chroot jail, addressing another major security hole in the pserver system.
• "Tim Timewaster" has a great page describing the cvs-over-ssh approach.
• Robin Dunn's precompiled socket.ssl for win32 made the python SSL stuff easy. (He's also the guy behind wxPython)
• Thomas Heller's py2exe makes building an exe file a snap!
• I based the threading portion of cvssh on code from Sam Rushing's Medusa project. (Thanks to Jason Orendorff and Laurent Szyster for pointing me in the right direction here.)
• My personal homepage is sabren.net. Most of my software is over at sixthdev.com, though.
• The cvs hosting plans I mentioned are available from cornerhost.com.