Revision: 3
Released: Sep 18, 2005
Updated: Jul 12, 2006
Problem
You develop code on a mix of windows and linux and you want to use SSH to access your CVS server.Solution
To give a little background, my setup at the time of this writing consisted of: - 2 CVS Servers: 1 FreeBSD (work) & 1 Debian (personal projects)- 2 client platforms: Debian cvs and WinCVS
- 3+ different client computers: 1 Win2k (work), 2 Debian (home)
All 3 client computers need access to both CVS servers, since i use a mixture of personal and work code on all three machines. The solution i came up with was to setup both servers to generate keypairs on all clients, then setup the servers to authenticate against the client keypairs. This way, i didn't need to type any passwords to work with the CVS repository (or to SSH into either machine).
The following steps will show you how to setup SSH using public/private keys to authenticate yourself. (i.e. you will not need to type in a password to login)
1. Create client keypairs
1.1. Windows
I used the ssh-keygen2 program that came with the SSH.com ssh client to generate the key. Runssh-keygen2.exe
It will
churn a little bit and then ask you where to save the keypair files.
I saved mine into C:\cvs_ssh\, you can save it anywhere
you want, the location of the key is not important.
When ssh-keygen2.exe asks you for a passphrase, just hit Enter. We want to create a key with a blank passphprase.
The created keyfiles should be named something like id_dsa_.... Open up the keyfile ending in .pub. It should look something like the following:
---- BEGIN SSH2 PUBLIC KEY ---- Subject: user@host Comment: "1024-bit dsa, user@host, Thu Nov 13 2003 00:00:00" AAAAB3NzaC1kc3MAAACBALpvwzNhcyYzweblbzsVB9i6BazkHRPdbWmrH1N/cpagepmhif [...approx 5-6 more lines of alphanumeric chars...] 8noiXlzhsx0tzrP+uQ== ---- END SSH2 PUBLIC KEY ----
Strip out the first 3 lines and the last line (i.e. lines beginning with "----", the Subject: line, and the Comment: line).
You should only be left with a few lines of jumbled alphanumeric chars. At the beginning of the very first line, add the text "ssh-dss" and then delete all linebreaks from the file so that it's one very long line.
ssh-dss AAAAB3NzaC1k [...very long line...] 8noiXlzhsx0tzrP+uQ==
Now, do a Save As... and save the newly formatted file so as not to overwrite the original. This new file will be the public key you will upload to the linux CVS server.
1.2. Linux
Runssh-keygen -C user@myhost
and save your keypair into ~/.ssh/
When ssh-keygen asks you for a passphrase, just hit Enter becuase you want to create a key with a blank passphprase.
No additional formatting of the generated keyfiles is required.
2. Setup the CVS/SSH server to accept the created keypairs
Log in to your CVS/SSH server and find out what user account owns CVSROOT. (For me, on FreeBSD, it's the 'cvs' user).
Go into the CVSROOT owner's ~/.ssh/authorized_keys file (you will probably have to create the directory and file) and paste the public key data from from the keyfiles you generated above in the previous step. (If you're using windows, paste in the modified public keyfile).
It may end with an optional double equals sign "==", which denotes the end of the key. You may place comments after the "==" if you want.
Placing your public key into the cvs owner's ~/.ssh/authorized_keys tells the server that any user posessing the private component of the publickey is allowed to log in as the cvs user without a password (since we created the keyfile without a password).
3. Test the setup
Try logging into the SSH server with the commandssh cvs@myserver.com
It should log you directly in without prompting for a password.
1. Double check that your private key is in your ~/.ssh/ directory.
2. If you're using a server that defaults to SSH1 (and forcing SSH2 via the "-2" command line option) and having trouble, try putting the client's public key into ~/.ssh/authorized_keys2
3. Try explicity telling the ssh client where your private keyfile is by using the "-i" option
ssh -i /dir/to/key -l cvs myserver.com
4. Setup CVS Clients
4.1. Linux
Export some variables to the shell so that the CVS client knows that it should use ssh to contact the CVS server. I added these lines to my ~/.bashrc file:export CVS_RSH="ssh"
export CVSROOT=":ext:cvs@cvsserver.com:/path/to/cvsroot"
# The following lines are NOT NECESSARY, but you might find them useful
# Show new files in current project
alias cvsnew="cvs status | grep ?"
# Show status of all *not* Up-to-date files
alias cvsstatus="cvs status | grep Status | grep -v Up"
# Update the current project
alias cvsupdate="cvs update -P -C -d"
To test, try and check something out
cvs -d $CVSROOT checkout someproject
4.2. Windows
Once you've got a command-line SSH client installed, load WinCVS.
Click "Admin"->"Preferences".
In the "General" tab, type in your CVS server details.
Select "Authentication: SSH" and click "Settings".
Un-click "RSA Private key".
Un-click "Additional SSH options"
For "SSH Client", point it to your ssh client (plink.exe in my case)
C:\plink.exe -i C:\cvs_ssh\key.PPK
Click OK to everything.
Notes
You can (and should) disable the CVS pserver in inetd.conf, since you will be running the cvs client (on the server) over the SSH tunnel, you do not need to have the pserver listening.
Software referenced
- CVS client
-
Linux: debian package
Windows: WinCVS - SSH client
-
Linux: debian package
Windows: PuTTY: plink.exe and puttygen.exe
