4.5.2.1. Setting up the server for password authentication

If your inetd allows raw port numbers in /etc/inetd.conf, then the following (all on a single line in inetd.conf) should be sufficient:

2401  stream  tcp  nowait  root  /usr/local/bin/cvs

cvs -b /usr/local/bin pserver

If your inetd wants a symbolic service name instead of a raw port number, then put this in /etc/services:

cvspserver      2401/tcp

Once the above is taken care of, restart your inetd, or do whatever is necessary to force it to reread its initialization files.

Because the client stores and transmits passwords in cleartext (almost---see Password authentication security for details), a separate cvs password file may be used, so people don't compromise their regular passwords when they access the repository. This file is $CVSROOT/CVSROOT/passwd (see Intro administrative files). Its format is similar to /etc/passwd, except that it only has two fields, username and password. For example:

bach:ULtgRLXo7NRxs

cwang:1sOp854gDF3DY

When authenticating a password, the server first checks for the user in the cvs passwd file. If it finds the user, it compares against that password. If it does not find the user, or if the cvs passwd file does not exist, then the server tries the system's /etc/passwd file. In either case, assuming the password is correct, the server switches to run as that user immediately after authentication, so that it will have no privileges which that user would not have. Therefore it is necessary that usernames in the cvs passwd file be valid usernames on the system.

Right now, the only way to put a password in the cvs passwd file is to paste it there from somewhere else. Someday, there may be a cvs passwd command.