How to create a CVS account by hand

If the addcvsuser script fails:
  1. Edit /etc/passwd, increment the uid field by one: 
    a7prakas:x:40121:416:Aayush Prakash:/home/a7prakas:/bin/rksh
rvndrn:x:40122:416:Kashik Ravndran:/home/rvndrn:/bin/rksh
  2. Edit /etc/shadow by copying the previous entry: 
    a7prakas:xOj926MXHsCEg:14924::::::
    and then changing the login 
    rvndrn:xOj926MXHsCEg:14924::::::
    so that the end of the file looks like 
    cardoso:02DtsDhjArMbU:14922::::::
a7prakas:xOj926MXHsCEg:14924::::::
rvndrn:xOj926MXHsCEg:14924::::::
  3. Run passwd rvndrn
  4. Run 
    /usr/local/bin/mkcvsuserdir rvndrn kaushik.ravindran@ni.com
  5. Important: On a different machine, verify the account: 
    cvs -d :ext:rvndrn@source.eecs.berkeley.edu:/home/cvs_chess co ptpapers
  6. Send the user email:
    Hi Kashik
    Your username on source.eecs.berkeley.edu is rvndrn Apologies about the short login, but we are limited to 8 characters.

    Your password is
    change;me
    To change your password, use ssh to connect to source.eecs.berkeley.edu and run the "passwd" command.
    To check out the repository: 

    cvs -d :ext:rvndrn@source.eecs.berkeley.edu:/home/cvs_chess co ptpapers/10

How CVS account creation works

When the user requests a CVS account php/subpages/options.request.php3 is run and email is sent to webmaster asking that /usr/local/bin/addcvsuser be run.

(If you want to create a general account, see How do I create an account under Solaris?)

The account that is created by addcvsuser uses a restricted shell (under Unix, /bin/rksh) so that users can only do things like change their passwords and use cvs. The shells are restricted for security reasons. Also, we provide dot files for each user.

The path is set by having /etc/default/login have 

# LOCAL change, cvs rksh users need to have the PATH here                                         
PATH=/home/cvsusers/bin
When a user logs in via ssh and their shell is set to /bin/rksh in /etc/passwd, then their path is set to include just /home/cvsusers/bin.

Each user has a ~/.ssh/rc file that contains: 

# It should not be necessary to have any sort of shell mentioned in the topline
# as this script gets run with the user's shell, which should be rksh
# See the sshd manpage for more info
# This file does nothing, it is to avoid problems with
# .Xauthentication files
However, after we patched in 2/2012, then ssh connections started getting: 
/bin/rksh: /bin/sh: restricted

One workaround is to remove the ~/.ssh/rc file. The problem occurs because ssh invokes that file with /bin/sh. See http://comments.gmane.org/gmane.network.openssh.devel/12155. The book "SSH Secure Shell" athttp://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch09_03.htm says:

9.3.5.2. xauth and the SSH rc files

SSH has startup files that can be set to execute on the server side when a client logs in. These are the systemwide /etc/sshrc and the per-account ~/.ssh/rc. These can be shell scripts or any kind of executable program.

An important thing to note is that sshd runs xauth only to add the proxy display key if it doesn't run an rc program. If it does run an rc program, it feeds the key type and data to the program on a single line to its standard input, and it is up to the rc program to store the display key. This feature provides a way to customize handling the display key, in case just running xauth isn't the right thing to do in your situation.

The restricted users do have enough access to set up ssh access though.

We don't want people using source.eecs as a general purpose server, we just want to provide cvs (and subversion) access. By having source be very secure, we increase reliablity and availability. source.eecs is our most reliable machine. Until we put a web server on to support Subversion, it was very resistant to attack. source.eecs does not have NFS running or sendmail (there is a MX record set up to bennett). Scanning the ports on source.eecs reveals many fewer open ports than are on andrews, which has mysql and sendmail. I've been meaning to tighten up the firewalls on the servers, but have not gotten around to it in awhile.

source.eecs does not mount user file systems for security reasons. NFS is a security hole. In the 'real world' machines on the outside of the firewall such as web servers and cvs servers usually do not have user accounts. If user accounts are to be made available, usually there would be a VPN hole or else a login server.

source: As of 2/06, we are not adding cvs only users to the departmental database. This is partly in preparation for the uid unification with campus, where we won't be able to add users to the database at all. The addcvsuser script on source looks in /etc/passwdfor the last uid in the range 40000 to 50000 and uses the next UID. For example, then next uid might be 400012 or something.

Adding a user to the UID database

This is obsolete 9/2011
The primary interface is https://iris.eecs.berkeley.edu/db/roster/ You might find it easier to use the web interface to add the user to the uid database and then rerun addcvsuser with the same command line arguments from the email that was sent to you requesting the account. To use the Web Interface
  1. Go to https://iris.eecs.berkeley.edu/db/roster/
  2. Select Create a new user account
    FIXME: Need to update instructions below, the are for the old site
    If you are creating an account on source.eecs and the user is not in the dept. db, then do not add the user to the db. Instead, add a local account on source.
  3. Select UIDs
  4. Use the following values
    Login:
    The login the user would like, for example
    j_ludvig
    GID:
    Group ID. The cvs group ID is
    416
    You can use the Click to Choose button, or just type it in.
    Name:
    The user's real name, for example:
    Jozsef Ludvig
  5. Hit the Insert button
  6. In the next window fill, in the following
    GECOS
    This field is for phone numbers and such. Leave it blank
    Home Dir
    Leave it blank
    Maybe we can leave this blank, but I did:
    /home/j_ludvig
    Shell
    Leave Blank? Or try:
    /bin/rksh
    or
    /usr/local/bin/tcsh
    SID
    This is the student ID. Leave it blank
    Comment
    Leave a good comment about who this person is:
    GSRC Guest, CVS only

Departmental Account infrastructure

The information below is for setting up and debugging the scripts that access the departmental account database

The Departmental UID database can be accessed at https://iris.eecs.berkeley.edu/db/roster/
http://www.eecs.berkeley.edu/~tmaher/dw/DW_UID.pm is a DW_UID download that contains perl scripts that can be used to add and delete users in the departmental user database. Locally, those scripts are installed in /usr/local/dw_uid on gigasource.

  1. Download the DW_UID software from http://www.eecs.berkeley.edu/~tmaher/dw/DW_UID.pm
  2. Install Perl 5.6.1 by downloading from ftp://mirrors.xmission.com/sunfreeware, gunzipping and running pkgadd -d perl*.
  3. Verify that perl 5.6.1 is in your path with perl -version
  4. Install OpenSSL by going to http://www.openssl.org
  5. Install the appropriate modules: 
     perl -MCPAN -e shell
 install Net::SSLeay
 install MIME::Base64
    Note that CPAN can use ftp or http to download files.
    I had problems with the host based firewall, so you may want to download the files by hand.

    Also, for Net::SSLeay, I had problems with the test hanging when it tried to connect to www.openssl.org, so I had to download it from ftp://cpan.valueclick.com//perl/CPAN/modules/by-module/Net and do 

    tar -zxf downloads/Net*
cd Net*
perl Makefile.PL
make
make test
make install
  6. To run the script, do 
    cd /usr/local/dw_uid/DW_UID
add.pl
  7. If you are having problems with the scripts, then try running them by hand: 
    gigasource:root: %C2> ./add.pl
Enter your login name to EECS DataWarehouse: cxh
Enter password: XXX

Checking authorization... ok
Enter search criterion.
press enter for none
login > cxh
name > hylands
Are any of these guys your man? (press enter for no)
1) cxh (6269) Christopher Hylands
2) basil (8164) Basil Hylands
3) hxc (6349) Christopher Hylands
Please select an entry and/or press enter: 1
error: 

Database e
rror

    An error occured
    Error: Cannot insert new into u
nix_uids
    line 990 in /usr/netscape/server4/docs/dw/user/unix_uids_manage
.cgi
    database error: ERROR:  Cannot insert a duplicate key into uniq
ue index unix_uids_login_key

    attempted: INSERT INTO unix_uids ( uid, login, gid, name, gecos, homed
ir, shell, sid, created, pin, comment ) VALUES ( gfu( 200 ), 'cxh', '30', 'Chri
stopher Hylands', '406 Cory,2-2716', '/home/argon3/lab/staff/cxh', '/bin/csh', 
NULL, 'now', NULL, 'imported from uid db' )
    If you see this message, please
 get either a hardcopy or email a copy of the page to
    Infrastructure Development and Support Group
    Room 325,
 Soda Hall
gigasource:root: %C2>
I modified the dw_uid software and created getuid.pl:
Ok, I hacked (major emphasis on hacked) up add.pl and created getuid.pl which prints all the status messages to STDERR and the passwd line to stdout so that you can get the line with something like: 
set pwent = "`/usr/local/dw_uid/dw_uid/getuid.pl $last_name`"
This will be useful for anyone who is using the csh based adduser script that is based on the one from ftp://account.eecs.berkeley.edu/pub/adduser that was initially written in '92

I modified DW_UID.pm so that it prints its messages to STDERR, and I cleaned it up slightly so that it does not take a command line argument as the login name to use with the EECS Data Warehouse

Saving /etc/passwd and /etc/shadow before messing around with adduser is strongly recommended.

My hacks can be found at http://ptolemy.eecs.berkeley.edu/~cxh/tmp/dw_uid-1.0p1.tar.gz