How does anonymous password authentication work?
Christopher Brooks, 25 Sep 2000
Last updated: 14 Jun 2009

Some of the repositories have anonymous cvs access, which allows anonymous users read only access

The ptII repository moved to svn in 2008. The cvs commands below are an example of how anonymous authentication can work

The Ptolemy II External Developers workgroup (ptexernal) was set up to allow for anonymous read only access to the Ptolemy II tree. After getting the password, the commands to run were:

cd c:/directoryofyourchoice
cvs -d pserver:anon@source.eecs.berkeley.edu:/home/cvs/cvsanon login
# No password needed, hit enter
cvs -d pserver:anon@source.eecs.berkeley.edu:/home/cvs/cvsanon co ptII

cvs -d :pserver:ptdeveloper@gigasource.eecs.berkeley.edu:/home/cvs/cvsanon login
cvs -d :pserver:ptdeveloper@gigasource.eecs.berkeley.edu:/home/cvs/cvsanon co ptII

The best reference is CVS Book: Password Authenticating Server Section

Troubleshooting

cxh@maury 21% telnet gigasource.eecs.berkeley.edu 2401
Trying 128.32.171.225...
Connected to gigasource.EECS.Berkeley.EDU.
Escape character is '^]'.
help

cvs [pserver aborted]: bad auth protocol start: help^

Connection closed by foreign host.
cxh@maury 22%

Also, the CVSROOT/config file should be set up to look like

# Set this to "no" if pserver shouldn't check system users/passwords
SystemAuth=yes

Administrivia

Setting up anonymous read only cvs access

The website maintainers will:

1. Create a link for your repository in /home/cvs/cvsanon

   cd /home/cvs/cvsanon
   ln -s ../yourrepository .
   

2. Each workgroup should have their own anonymous cvs account so that password administration is easier.
   The accounts are listed in /home/cvs/cvsanon/CVSROOT/passwd and look like

   accountname:encrypted password:cvsanon
   

   cvsanon is the name of the account that we actually log in as.
3. To generate an encrypted password, run cryptout.pl with the password

   gigasource:root: %C2> /usr/local/bin/cryptout.pl foobar
   oPG6N3As668O2
   gigasource:root: %C2> 
   

   and then placing that encrypted password in a new password entry in /home/cvs/cvsanon/CVSROOT/passwd

Other details

Note that anonymous read only cvs access sends passwords over in clear text with a very simple encryption scheme. Thus, this method is really only useful for shared accounts since with individual accounts users tend to use the same password for many different accounts so if their cvs password gets snooped, other accounts could be compromised.

Note further that the lightly encrypted password is stored in ~/.cvspass.

Readonly access is controlled by adding users to /home/cvs/cvsanon/CVSROOT/readers

/etc/services and /etc/inetd.conf were modified with the following:

gigasource:root: %C2> grep pserver /etc/services
cvspserver      2401/tcp
gigasource:root: %C2> grep pserver /etc/inetd.conf
cvspserver stream tcp nowait root /usr/local/bin/cvs cvs --allow-root=/home/cvs
/cvsanon pserver
gigasource:root: %C2>

xinetd setup (for Linux)

service cvspserver
{
        socket_type         = stream
        protocol            = tcp
        wait                = no
        user                = root
        passenv             = PATH
        server              = /usr/bin/env
        server_args         = -i cvs -f --allow-root=/usr2/cvsroot --allow-root
=/home/real/cvsroot pserver
}

service cvspserver
{
        socket_type         = stream
        protocol            = tcp
        wait                = no
        user                = root
        passenv             = PATH
        server              = /usr/bin/cvs
        server_args         = -f --allow-root=/usr2/cvsroot --allow-root=/home/
real/cvsroot pserver
}

Solaris 10 Notes

Add the following rules to /etc/ipf/ipf.conf

pass in quick on bge0 proto tcp from any to 128.32.48.234 port = cvspserver flags S keep state group 100

# CVS
pass out quick on bge0 proto tcp from 128.32.48.234 to any port = cvspserver flags S keep state group 200