I haven't done this myself in awhile, but you can configure a "genuine login
account" -- cvsphil, in this case -- who can connect via ssh, but through no
other method. That is, cvsphil can't login from the console, from telnet,
rlogin, etc. I think this is mainly done by setting his login shell to
"/sbin/nologin" or the equivalent.
Then, you can configure the user's ssh login so that the ONLY command they
can run via ssh is "cvs". By default, ssh will open a login shell, but that
won't work for cvsphil, since he won't have a login shell configured. Nor
will you allow phil to type "ssh address@hidden rm
/usr/local/cvsroot/CVSROOT/history", because ssh will be configured to
require the command to be "cvs" (rather than "rm" in this example), and will
strip out metacharacters like "&&" and ";". And you'll also ftpchroot
cvsphil so he can't FTP into the repository server, either. (cvsphil's a
tenacious and sneaky bastard, after all.)