cvs without password

bo's profileAmosPhotosBlogLists

Tools

Help

< Previous Next >

April 20

How do I use CVS without typing my password each time?

How do I use CVS without typing my password each time?
Christopher Brooks, 18 Jul 2000
Last updated: 13 Sep 2005

To use CVS without typing your password, you will need an individual account on gigasource.

If your CVS account was created after September 2000, then it is fairly likely that you already have an individual account.

If you would like to check, log in to your cvs account on gigasource and run pwd.

If your home directory is /home/cvsusers then you not have an individual account. You should follow the instructions in How do I get a CVS account? and request an individual account. In the comments section be sure to state that you think you have a shared account and that you would like your account recreated as an individual account so that you do not have to type your password.

A GSRC Adminstrators will edit /etc/passwd and /etc/shadow and remove your account and then recreate your account.
GSRC Admins can view How are cvs accounts created? for details.

If your home directory is anything but /home/cvsusers, then you already have an individual account, and you can proceed without sending email

For example, the ptolemy users does not have an individual account, so email should be sent:

cxh@maury 1% ssh gigasource -l ptolemy<br />ptolemy@gigasource's password:<br /><br />Last login: Mon Mar 26 22:01:19 2001 from julian.eecs.ber<br />$ pwd<br />/home/cvsusers<br />$ exit<br />Connection to gigasource closed.<br />cxh@maury 2%<br /><br /></pre> 


<p>
<i>The steps below are slightly modified from the
<a href="http://www.gigascale.org/pubs/gsrc-downloads/cvsssh/cvssshREADME.txt">CVS SSH instructions</a>
</i>
</p><p>
SSH (and therefore CVS) can use RSA and Rhosts style authentication to
make it so that you can login without typing your password.  Using Rhosts authentication alone is insecure,
and most CVS servers (this one included) disallow it.
RSA can be used with or without Rhosts authentication.
Using RSA alone, any user with the appropriate RSA
key and passphrase can access the repository.
Using RSA and Rhosts restricts repository access to only computers listed in Rhosts that also have the appropriate RSA key.
</p><p> 
Note that for RSA with Rhosts authentication
to work, each host that
you are logging in from needs to be listed in two files.
If you are connecting from multiple hosts via dynamic
DSL, then each time you connect, you are likely to
have a different address, which makes managing
the file difficult.  There are several possible
solutions, one is to try to use wildcards 
in <code>~/.ssh/known_hosts</code> and <code>~/.shosts</code>,
the other is to run a script that updates these
files automatically.  Both solutions are complex
and have security issues, so we do not cover them here.
It is much simpler to use RSA authentication alone 
in this case.
</p><p>
</p><h2>RSA authentication</h2>
<p>
Once your account has been set up, do the following:
</p><ol><li><b>Create <code>~/.ssh/id_rsa.pub</code> on the
local machine</b>:
If <code>~/.ssh/id_rsa.pub</code> does not exist,
on your local machine,
then create it by running <code>ssh-keygen -t rsa</code>
<br />When prompted for a passphrase, hit return.
If you type in a passphrase here, you will be prompted
for that passphrase each time.
<br />Running ssh-keygen will generate the files 
 <code>~/.ssh/id_rsa</code> and
<code>~/.ssh/id_rsa.pub</code>, which
are your private and public encryption keys respectively.

</li><li><b>Create <code>~/.ssh/authorized_keys2</code> on
gigasource</b>:
Set the permission of <code>~/.ssh/id_rsa.pub</code>
to <code>0644</code> and then 
copy <code>~/.ssh/id_rsa.pub</code> over
to <code>~/.ssh/authorized_keys2</code> with the 
<code>scp -p</code> flag to preserve permissions.
<pre>chmod 0644 ~/.ssh/id_rsa.pub<br />scp -p ~/.ssh/id_rsa.pub <i>yourgigasourcelogin</i>@gigasource:~/.ssh/authorized_keys2<br /></pre>
where <i>yourgigasourcelogin</i> is the your CVS login
on gigasource.
</li><li> <b>From the local machine, test ssh with</b>:
<pre>ssh <i>yourgigasourcelogin</i>@gigasource cvs<br /></pre>
to check the set up.
</li></ol>
Below is a sample run
<pre>cxh@DOPLAP03 ~<br />$ ssh-keygen -t rsa<br />Generating public/private rsa key pair.<br />Enter file in which to save the key (/cygdrive/c/cxh/.ssh/id_rsa):<br />Enter passphrase (empty for no passphrase):<br />Enter same passphrase again:<br />Your identification has been saved in /cygdrive/c/cxh/.ssh/id_rsa.<br />Your public key has been saved in /cygdrive/c/cxh/.ssh/id_rsa.pub.<br />The key fingerprint is:<br />03:2a:8a:3b:96:93:6b:74:86:c8:ea:30:e2:c9:11:68 cxh@DOPLAP03<br /><br />cxh@DOPLAP03 ~<br />$ chmod 0644 ~/.ssh/id_rsa.pub<br /><br />cxh@DOPLAP03 ~<br />$ scp ~/.ssh/id_rsa.pub cxh@gigasource:~/.ssh/authorized_keys2<br />The authenticity of host 'gigasource (128.32.171.225)' can't be established.<br />RSA key fingerprint is 74:57:84:9b:ca:b8:44:1d:fa:f0:e3:27:29:ac:19:c6.<br />Are you sure you want to continue connecting (yes/no)? yes<br />Warning: Permanently added 'gigasource,128.32.171.225' (RSA) to the list of know<br />n hosts.<br />cxh@gigasource's password:<br />id_rsa.pub           100% |*****************************|   222       00:00<br /><br />cxh@DOPLAP03 ~<br />$ ssh cxh@gigasource cvs<br />Usage: cvs [cvs-options] command [command-options-and-arguments]<br />  where cvs-options are -q, -n, etc.<br />    (specify --help-options for a list of options)<br />  where command is add, admin, etc.<br />    (specify --help-commands for a list of commands<br />     or --help-synonyms for a list of command synonyms)<br />  where command-options-and-arguments depend on the specific command<br />    (specify -H followed by a command name for command-specific help)<br />  Specify --help to receive this message<br /><br />The Concurrent Versions System (CVS) is a tool for version control.<br />For CVS updates and additional information, see<br />    the CVS home page at http://www.cvshome.org/ or<br />    Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html<br /><br />cxh@DOPLAP03 ~<br />cxh@maury 1% ssh gigasource -l ptolemy
ptolemy@gigasource's password:

Last login: Mon Mar 26 22:01:19 2001 from julian.eecs.ber
$ pwd
/home/cvsusers
$ exit
Connection to gigasource closed.
cxh@maury 2%

The steps below are slightly modified from the CVS SSH instructions

SSH (and therefore CVS) can use RSA and Rhosts style authentication to make it so that you can login without typing your password. Using Rhosts authentication alone is insecure, and most CVS servers (this one included) disallow it. RSA can be used with or without Rhosts authentication. Using RSA alone, any user with the appropriate RSA key and passphrase can access the repository. Using RSA and Rhosts restricts repository access to only computers listed in Rhosts that also have the appropriate RSA key.

Note that for RSA with Rhosts authentication to work, each host that you are logging in from needs to be listed in two files. If you are connecting from multiple hosts via dynamic DSL, then each time you connect, you are likely to have a different address, which makes managing the file difficult. There are several possible solutions, one is to try to use wildcards in ~/.ssh/known_hosts and ~/.shosts, the other is to run a script that updates these files automatically. Both solutions are complex and have security issues, so we do not cover them here. It is much simpler to use RSA authentication alone in this case.

RSA authentication

Once your account has been set up, do the following:

Create ~/.ssh/id_rsa.pub on the local machine: If ~/.ssh/id_rsa.pub does not exist, on your local machine, then create it by running ssh-keygen -t rsa
When prompted for a passphrase, hit return. If you type in a passphrase here, you will be prompted for that passphrase each time.
Running ssh-keygen will generate the files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, which are your private and public encryption keys respectively.
Create ~/.ssh/authorized_keys2 on gigasource: Set the permission of ~/.ssh/id_rsa.pub to 0644 and then copy ~/.ssh/id_rsa.pub over to ~/.ssh/authorized_keys2 with the scp -p flag to preserve permissions.
```
chmod 0644 ~/.ssh/id_rsa.pub
scp -p ~/.ssh/id_rsa.pub yourgigasourcelogin@gigasource:~/.ssh/authorized_keys2
```
where yourgigasourcelogin is the your CVS login on gigasource.
From the local machine, test ssh with:
```
ssh yourgigasourcelogin@gigasource cvs
```
to check the set up.

Below is a sample run

cxh@DOPLAP03 ~
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/cygdrive/c/cxh/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /cygdrive/c/cxh/.ssh/id_rsa.
Your public key has been saved in /cygdrive/c/cxh/.ssh/id_rsa.pub.
The key fingerprint is:
03:2a:8a:3b:96:93:6b:74:86:c8:ea:30:e2:c9:11:68 cxh@DOPLAP03

cxh@DOPLAP03 ~
$ chmod 0644 ~/.ssh/id_rsa.pub

cxh@DOPLAP03 ~
$ scp ~/.ssh/id_rsa.pub cxh@gigasource:~/.ssh/authorized_keys2
The authenticity of host 'gigasource (128.32.171.225)' can't be established.
RSA key fingerprint is 74:57:84:9b:ca:b8:44:1d:fa:f0:e3:27:29:ac:19:c6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'gigasource,128.32.171.225' (RSA) to the list of know
n hosts.
cxh@gigasource's password:
id_rsa.pub           100% |*****************************|   222       00:00

cxh@DOPLAP03 ~
$ ssh cxh@gigasource cvs
Usage: cvs [cvs-options] command [command-options-and-arguments]
  where cvs-options are -q, -n, etc.
    (specify --help-options for a list of options)
  where command is add, admin, etc.
    (specify --help-commands for a list of commands
     or --help-synonyms for a list of command synonyms)
  where command-options-and-arguments depend on the specific command
    (specify -H followed by a command name for command-specific help)
  Specify --help to receive this message

The Concurrent Versions System (CVS) is a tool for version control.
For CVS updates and additional information, see
    the CVS home page at http://www.cvshome.org/ or
    Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html

cxh@DOPLAP03 ~
$

The above steps should not prompt you for your password each time you run a cvs command. There are two ways to enable yourself to not type a passphrase each time.

The first is to use only RSA authentication as described above, and give an empty passphrase. Note that this means that if someone steals your laptop and breaks into your account, they will be able to use the ssh command to get on to your Unix account. RSA authentication works with ssh1 and ss2.

The second way is to set up Rhosts RSA authentication, which currently only works with ssh1. In this case, ssh will authenticate your computer instead of you. It is somewhat safer for your computer to log in without a password because the CVS server can determine where your computer is located. Your computer can only login without a password if it also has the correct name and IP. This method is shown below.

Rhosts RSA authentication

These instructions apply to ssh1 clients, like the version of ssh that is currently shipped with cvsssh. For ssh2, see above.

Setup ~/.shosts on gigasource: Create a temporary file on your local machine that contains the name of the host you will be logging in from.
```
echo "myhost.eecs.berkeley.edu" > /tmp/shosts
```
Change the permissions of the file on you local machine so that it is only readable by you. Note that you can't run chmod on the remote machine under rksh, so you need to fix the permissions before you copy the file over.
```
chmod 0600 /tmp/shosts
```

Copy the file over:

scp /tmp/shosts gigasource:~/.shosts

Below is a sample session

ptolemy@myhost 4% echo "myhosts.eecs.berkeley.edu" > /tmp/shosts
ptolemy@myhost 5% chmod 0600 /tmp/shosts
ptolemy@myhost 6% scp /tmp/shosts gigasource:~/.shosts
Enter passphrase for RSA key 'ptolemy@myhost.eecs.berkeley.edu': your passphrase

^Mshosts                    |          0 KB |   0.0 kB/s | ETA: 00:00:00 | 100%

ptolemy@myhost 7%

On your Windows machine, check to see if the file c:\ssh\etc\ssh_host_key.pub exists:
1. If it does not exist, generate host keys on your Unix machine and copy them over. Note that the ssh-keygen command that is shipped with the Windows CVS SSH package will not work, you should run ssh-keygen on a Unix host. Note that the -N below indicates that your computer will not have a passphrase.
```
   cd /tmp
   ssh-keygen -b 1024 -f ssh_host_key -N ''
   
```
  On Windows, you can copy the files with scp. If you use scp here, note that scp does not understand the Windows c: naming convention, it think c: is a machine named 'c'. To copy the file under bash on Windows:
```
   cd c:/ssh/etc
   scp yourunixmachine:/tmp/ssh_host_key.pub .
   scp yourunixmachine:/tmp/ssh_host_key .
   
```
  On the Unix machine, remove /tmp/ssh_host_key
2. If c:/etc/ssh/ssh_host_key.pub exists on your Windows machine, copy it to a temporary file on the Unix machine:
```
        cd c:/ssh/etc
        scp ssh_host_key.pub yourunixmachine:/tmp
   
```
Set up ~/.ssh/known_hosts on gigasource: On gigasource, ~/.ssh/known_hosts lists hosts that are allowed to connect without a password. Since we can't edit files on gigasource from the restricted shell, we create the file on the local machine and copy it over to gigascale.
Note that if you are connecting from multiple machines, you will need to add a line to this file for each machine you are connecting from. The easiest way to do this is to use scp to transfer the file to a local machine, edit the file locally and then scp it back to gigasource.
1. Grab the contents of the copy of ssh_host_key.pub that you either generated or copied over, and create a temporary file
2. Add the fully qualified domain name of the windows machine to the beginning of the line. You should end up with something like
```
maury.eecs.berkeley.edu 1024 17 27348124368712489214987214872164987243
```
  Where the last number is several lines long.
3. Copy the file:
```
scp /tmp/known_hosts gigasource:~/.ssh/known_hosts
```
From the local machine, test ssh with:
```
ssh -v gigasource cvs
```
you should not have to type in your password.

Troubleshooting CVS SSH under NT

Run

ssh -v yourunixmachine cvs

and check the output, which should look like:

ptolemy@carson 8% ssh -v gigasource cvs
SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5.
Standard version.  Does not use RSAREF.
carson.eecs.berkeley.edu: Reading configuration data /etc/ssh_config
carson.eecs.berkeley.edu: ssh_connect: getuid 4035 geteuid 0 anon 0
carson.eecs.berkeley.edu: Connecting to gigasource [128.32.171.225] port 22.
carson.eecs.berkeley.edu: Allocated local port 1021.
carson.eecs.berkeley.edu: Connection established.
carson.eecs.berkeley.edu: Remote protocol version 1.5, remote software version \
1.2.26
carson.eecs.berkeley.edu: Waiting for server public key.
carson.eecs.berkeley.edu: Received server public key (768 bits) and host key (1\
024 bits).
carson.eecs.berkeley.edu: Host 'gigasource' is known and matches the host key.
carson.eecs.berkeley.edu: Initializing random; seed file /users/ptolemy/.ssh/ra\
ndom_seed
carson.eecs.berkeley.edu: Encryption type: idea
carson.eecs.berkeley.edu: Sent encrypted session key.
carson.eecs.berkeley.edu: Installing crc compensation attack detector.
carson.eecs.berkeley.edu: Received encrypted confirmation.
carson.eecs.berkeley.edu: Trying rhosts or /etc/hosts.equiv with RSA host authe\
ntication.
carson.eecs.berkeley.edu: Remote: Accepted by .shosts.
carson.eecs.berkeley.edu: Remote: Your host key cannot be verified: unknown or \
invalid host key.
carson.eecs.berkeley.edu: Remote: The host name used to check the key was 'cars\
on.eecs.berkeley.edu'.
carson.eecs.berkeley.edu: Remote: Try logging back from the server machine with\
 the canonical host name using ssh, and then try again.
carson.eecs.berkeley.edu: Server refused our rhosts authentication or host key.
carson.eecs.berkeley.edu: No agent.
carson.eecs.berkeley.edu: Trying RSA authentication with key 'ptolemy@maury.eec\
s.berkeley.edu'
carson.eecs.berkeley.edu: Received RSA challenge from server.
carson.eecs.berkeley.edu: Bad passphrase supplied for key file /users/ptolemy/.\
ssh/identity.
Enter passphrase for RSA key 'ptolemy@maury.eecs.berkeley.edu': your CVS passphrase

carson.eecs.berkeley.edu: Sending response to host key RSA challenge.
carson.eecs.berkeley.edu: Remote: RSA authentication accepted.
carson.eecs.berkeley.edu: RSA authentication accepted by server.
carson.eecs.berkeley.edu: Requesting X11 forwarding with authentication spoofin\
g.
carson.eecs.berkeley.edu: Sending command: cvs
carson.eecs.berkeley.edu: Entering interactive session.
Usage: cvs [cvs-options] command [command-options-and-arguments]
  where cvs-options are -q, -n, etc.
    (specify --help-options for a list of options)
  where command is add, admin, etc.
    (specify --help-commands for a list of commands
     or --help-synonyms for a list of command synonyms)
  where command-options-and-arguments depend on the specific command
    (specify -H followed by a command name for command-specific help)
  Specify --help to receive this message

The Concurrent Versions System (CVS) is a tool for version control.
For CVS updates and additional information, see
    Cyclic Software at http://www.cyclic.com/ or
    Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html
carson.eecs.berkeley.edu: Transferred: stdin 0, stdout 716, stderr 0 bytes in 0\
.1 seconds
carson.eecs.berkeley.edu: Bytes per second: stdin 0.0, stdout 12490.8, stderr 0\
.0
carson.eecs.berkeley.edu: Exit status 1
ptolemy@carson 9%

Check the value of the CVSROOT environment variable. It should be something like: :ext:myhost.eecs.berkeley.edu:/users/cvs/Repository
Be sure that you have created a key on the Unix side and copied the identity* files from Unix to NT
Be sure that $HOME is set for your NT account

Try using the ssh.exe binary that the $CVS_RSH variable refers to. Below is an example where we rsh over to carson and get the date:

     bash-2.02$ echo $CVS_RSH
     D:\Program Files\Ptolemy\CVS SSH\ssh.exe
     bash-2.02$ /Program\ Files/Ptolemy/CVS\ SSH/ssh carson date
     Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':
     ld.so.1: /usr/local/bin/xauth: warning: /usr/4lib/libXmu.so.4.0: has older revision than expected 10
     Thu Feb  4 15:35:06 PST 1999

Below is an example that failed because of an incorrect CVS password, note that the password is prompted for twice:

     bash-2.02$ /Program\ Files/Ptolemy/CVS\ SSH/ssh carson date
     Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':
     Bad passphrase.
     Password:
     Permission denied.
     bash-2.02$

Verify that you can use ssh to connect between two Unix boxes.

Check ssh_config. RSAAuthentication and/or RhostsRSAAuthentication must be turned on. One way to do this locally is by having an /Program\ Files/Ptolemy/CVS\ SSH/ssh_config file that looks like:

Host *
        RSAAuthentication yes
        RhostsRSAAuthentication yes
lt;br /></pre>
The above steps should not prompt you for your password each time you
run a cvs command. There are two ways to enable yourself to not type a
passphrase each time.
<p>The first is to use only RSA authentication as described above, and
give an empty passphrase.
Note that this means that if someone steals your laptop and breaks into
your account, they will be able to use the ssh command to get on to
your Unix account. RSA authentication works with ssh1 and ss2. </p><p>The second way is to set up Rhosts RSA authentication,
which currently only works with ssh1. In this case, ssh will
authenticate your computer instead of you. It is somewhat safer for
your computer to log in without a password
because the CVS server can determine where your computer
is located. Your computer can only login without
a password if it also has the correct name and IP.
This method is shown below.
</p><p>
</p><h2>Rhosts RSA authentication</h2>
These instructions apply to ssh1 clients, like
the version of ssh that is currently shipped with cvsssh.
For ssh2, see above.
<ol><li> <b>Setup <code>~/.shosts</code> on gigasource</b>:
Create a temporary file on your local machine that
   contains the name of the host you will be logging in
   from. 
<pre>echo "myhost.eecs.berkeley.edu" > /tmp/shosts<br /></pre> 
</li><li><b>Change the permissions of the file on you local
machine so that it is only readable by you.</b>  Note
that you can't run <code>chmod</code> on the remote
machine under rksh, so you need to fix the permissions
before you copy the file over.
<pre>chmod 0600 /tmp/shosts<br /></pre>
</li><li> <b>Copy the file over</b>:
<pre>scp /tmp/shosts gigasource:~/.shosts<br /></pre>
Below is a sample session
<pre>ptolemy@myhost 4% echo "myhosts.eecs.berkeley.edu" > /tmp/shosts<br />ptolemy@myhost 5% chmod 0600 /tmp/shosts<br />ptolemy@myhost 6% scp /tmp/shosts gigasource:~/.shosts<br />Enter passphrase for RSA key 'ptolemy@myhost.eecs.berkeley.edu': <i>your passphrase</i><br /><br />^Mshosts                    |          0 KB |   0.0 kB/s | ETA: 00:00:00 | 100%<br /><br />ptolemy@myhost 7%<br /></pre>

</li><li> <b>On your Windows machine, check to see if the file
   c:\ssh\etc\ssh_host_key.pub exists</b>:

   <ol><li> If it does not exist, generate host keys on your Unix machine
   and copy them over.  Note that the ssh-keygen command
   that is shipped with the Windows CVS SSH package will
   not work, you should run <code>ssh-keygen</code>
   on a Unix host.  Note that the -N below indicates
   that your computer will not have a passphrase.
   <pre>   cd /tmp<br />   ssh-keygen -b 1024 -f ssh_host_key -N ''<br />   </pre>

   On Windows, you can copy the files with scp. If you use scp here,
   note that scp does not understand the Windows c: naming convention,
   it think c: is a machine named 'c'.  To copy the file under bash
   on Windows:
   <pre>   cd c:/ssh/etc<br />   scp yourunixmachine:/tmp/ssh_host_key.pub .<br />   scp yourunixmachine:/tmp/ssh_host_key .<br />   </pre>

   On the Unix machine, remove /tmp/ssh_host_key

   </li><li> If c:/etc/ssh/ssh_host_key.pub exists on your Windows machine, 
   copy it to a temporary file on the Unix machine:
   <pre>        cd c:/ssh/etc<br />        scp ssh_host_key.pub yourunixmachine:/tmp<br />   </pre>
   </li></ol>

</li><li> <b>Set up <code>~/.ssh/known_hosts</code> on gigasource</b>:
On gigasource, <code>~/.ssh/known_hosts</code> lists hosts
that are allowed to connect without a password.  Since
we can't edit files on gigasource from the restricted shell,
we create the file on the local machine and copy it
over to gigascale.
<br />Note that if you are connecting from multiple machines,
you will need to add a line to this file for each
machine you are connecting from.  The easiest way
to do this is to use scp to transfer the file
to a local machine, edit the file locally and then
scp it back to gigasource.

<ol><li>Grab the contents of the copy of ssh_host_key.pub that
you either generated or copied over, and create a temporary
file

</li><li>   Add the fully qualified domain name of the windows machine
   to the beginning of the line.
   You should end up with something like
<pre>maury.eecs.berkeley.edu 1024 17 27348124368712489214987214872164987243<br /></pre>
Where the last number is several lines long.
</li><li> Copy the file:
<pre>scp /tmp/known_hosts gigasource:~/.ssh/known_hosts<br /></pre>
</li></ol>

</li><li> <b>From the local machine, test ssh with</b>:
<pre>ssh -v gigasource cvs<br /></pre>
you should not have to type in your password.
</li></ol>


<h2>Troubleshooting CVS SSH under NT</h2>
<ol><li>Run 
<pre>ssh -v yourunixmachine cvs<br /></pre>
and check the output, which should look like:

<pre>ptolemy@carson 8% ssh -v gigasource cvs<br />SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5.<br />Standard version.  Does not use RSAREF.<br />carson.eecs.berkeley.edu: Reading configuration data /etc/ssh_config<br />carson.eecs.berkeley.edu: ssh_connect: getuid 4035 geteuid 0 anon 0<br />carson.eecs.berkeley.edu: Connecting to gigasource [128.32.171.225] port 22.<br />carson.eecs.berkeley.edu: Allocated local port 1021.<br />carson.eecs.berkeley.edu: Connection established.<br />carson.eecs.berkeley.edu: Remote protocol version 1.5, remote software version \<br />1.2.26<br />carson.eecs.berkeley.edu: Waiting for server public key.<br />carson.eecs.berkeley.edu: Received server public key (768 bits) and host key (1\<br />024 bits).<br />carson.eecs.berkeley.edu: Host 'gigasource' is known and matches the host key.<br />carson.eecs.berkeley.edu: Initializing random; seed file /users/ptolemy/.ssh/ra\<br />ndom_seed<br />carson.eecs.berkeley.edu: Encryption type: idea<br />carson.eecs.berkeley.edu: Sent encrypted session key.<br />carson.eecs.berkeley.edu: Installing crc compensation attack detector.<br />carson.eecs.berkeley.edu: Received encrypted confirmation.<br />carson.eecs.berkeley.edu: Trying rhosts or /etc/hosts.equiv with RSA host authe\<br />ntication.<br />carson.eecs.berkeley.edu: Remote: Accepted by .shosts.<br />carson.eecs.berkeley.edu: Remote: Your host key cannot be verified: unknown or \<br />invalid host key.<br />carson.eecs.berkeley.edu: Remote: The host name used to check the key was 'cars\<br />on.eecs.berkeley.edu'.<br />carson.eecs.berkeley.edu: Remote: Try logging back from the server machine with\<br /> the canonical host name using ssh, and then try again.<br />carson.eecs.berkeley.edu: Server refused our rhosts authentication or host key.<br />carson.eecs.berkeley.edu: No agent.<br />carson.eecs.berkeley.edu: Trying RSA authentication with key 'ptolemy@maury.eec\<br />s.berkeley.edu'<br />carson.eecs.berkeley.edu: Received RSA challenge from server.<br />carson.eecs.berkeley.edu: Bad passphrase supplied for key file /users/ptolemy/.\<br />ssh/identity.<br />Enter passphrase for RSA key 'ptolemy@maury.eecs.berkeley.edu': <i>your CVS passphrase</i><br /><br />carson.eecs.berkeley.edu: Sending response to host key RSA challenge.<br />carson.eecs.berkeley.edu: Remote: RSA authentication accepted.<br />carson.eecs.berkeley.edu: RSA authentication accepted by server.<br />carson.eecs.berkeley.edu: Requesting X11 forwarding with authentication spoofin\<br />g.<br />carson.eecs.berkeley.edu: Sending command: cvs<br />carson.eecs.berkeley.edu: Entering interactive session.<br />Usage: cvs [cvs-options] command [command-options-and-arguments]<br />  where cvs-options are -q, -n, etc.<br />    (specify --help-options for a list of options)<br />  where command is add, admin, etc.<br />    (specify --help-commands for a list of commands<br />     or --help-synonyms for a list of command synonyms)<br />  where command-options-and-arguments depend on the specific command<br />    (specify -H followed by a command name for command-specific help)<br />  Specify --help to receive this message<br /><br />The Concurrent Versions System (CVS) is a tool for version control.<br />For CVS updates and additional information, see<br />    Cyclic Software at http://www.cyclic.com/ or<br />    Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html<br />carson.eecs.berkeley.edu: Transferred: stdin 0, stdout 716, stderr 0 bytes in 0\<br />.1 seconds<br />carson.eecs.berkeley.edu: Bytes per second: stdin 0.0, stdout 12490.8, stderr 0\<br />.0<br />carson.eecs.berkeley.edu: Exit status 1<br />ptolemy@carson 9%<br /></pre>


   </li><li>Check the value of the CVSROOT environment variable.  It should
     be something like: 
        :ext:myhost.eecs.berkeley.edu:/users/cvs/Repository
 
   </li><li>Be sure that you have created a key on the Unix side and 
     copied the identity* files from Unix to NT 

   </li><li>Be sure that $HOME is set for your NT account 

   </li><li>Try using the ssh.exe binary that the $CVS_RSH variable refers to. 

     Below is an example where we rsh over to carson and get the date: 
<pre>     bash-2.02$ echo $CVS_RSH<br />     D:\Program Files\Ptolemy\CVS SSH\ssh.exe<br />     bash-2.02$ /Program\ Files/Ptolemy/CVS\ SSH/ssh carson date<br />     Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':<br />     ld.so.1: /usr/local/bin/xauth: warning: /usr/4lib/libXmu.so.4.0: has older revision than expected 10<br />     Thu Feb  4 15:35:06 PST 1999<br /></pre>
     Below is an example that failed because of an incorrect CVS password, note that the password is prompted
     for twice: 
<pre>     bash-2.02$ /Program\ Files/Ptolemy/CVS\ SSH/ssh carson date<br />     Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':<br />     Bad passphrase.<br />     Password:<br />     Permission denied.<br />     bash-2.02cxh@maury 1% ssh gigasource -l ptolemy
ptolemy@gigasource's password:

Last login: Mon Mar 26 22:01:19 2001 from julian.eecs.ber
$ pwd
/home/cvsusers
$ exit
Connection to gigasource closed.
cxh@maury 2%

The steps below are slightly modified from the CVS SSH instructions

RSA authentication

Once your account has been set up, do the following:

Create ~/.ssh/id_rsa.pub on the local machine: If ~/.ssh/id_rsa.pub does not exist, on your local machine, then create it by running ssh-keygen -t rsa
When prompted for a passphrase, hit return. If you type in a passphrase here, you will be prompted for that passphrase each time.
Running ssh-keygen will generate the files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, which are your private and public encryption keys respectively.
Create ~/.ssh/authorized_keys2 on gigasource: Set the permission of ~/.ssh/id_rsa.pub to 0644 and then copy ~/.ssh/id_rsa.pub over to ~/.ssh/authorized_keys2 with the scp -p flag to preserve permissions.
```
chmod 0644 ~/.ssh/id_rsa.pub
scp -p ~/.ssh/id_rsa.pub yourgigasourcelogin@gigasource:~/.ssh/authorized_keys2
```
where yourgigasourcelogin is the your CVS login on gigasource.
From the local machine, test ssh with:
```
ssh yourgigasourcelogin@gigasource cvs
```
to check the set up.

Below is a sample run

cxh@DOPLAP03 ~
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/cygdrive/c/cxh/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /cygdrive/c/cxh/.ssh/id_rsa.
Your public key has been saved in /cygdrive/c/cxh/.ssh/id_rsa.pub.
The key fingerprint is:
03:2a:8a:3b:96:93:6b:74:86:c8:ea:30:e2:c9:11:68 cxh@DOPLAP03

cxh@DOPLAP03 ~
$ chmod 0644 ~/.ssh/id_rsa.pub

cxh@DOPLAP03 ~
$ scp ~/.ssh/id_rsa.pub cxh@gigasource:~/.ssh/authorized_keys2
The authenticity of host 'gigasource (128.32.171.225)' can't be established.
RSA key fingerprint is 74:57:84:9b:ca:b8:44:1d:fa:f0:e3:27:29:ac:19:c6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'gigasource,128.32.171.225' (RSA) to the list of know
n hosts.
cxh@gigasource's password:
id_rsa.pub           100% |*****************************|   222       00:00

cxh@DOPLAP03 ~
$ ssh cxh@gigasource cvs
Usage: cvs [cvs-options] command [command-options-and-arguments]
  where cvs-options are -q, -n, etc.
    (specify --help-options for a list of options)
  where command is add, admin, etc.
    (specify --help-commands for a list of commands
     or --help-synonyms for a list of command synonyms)
  where command-options-and-arguments depend on the specific command
    (specify -H followed by a command name for command-specific help)
  Specify --help to receive this message

The Concurrent Versions System (CVS) is a tool for version control.
For CVS updates and additional information, see
    the CVS home page at http://www.cvshome.org/ or
    Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html

cxh@DOPLAP03 ~
$

The above steps should not prompt you for your password each time you run a cvs command. There are two ways to enable yourself to not type a passphrase each time.

Rhosts RSA authentication

These instructions apply to ssh1 clients, like the version of ssh that is currently shipped with cvsssh. For ssh2, see above.

Setup ~/.shosts on gigasource: Create a temporary file on your local machine that contains the name of the host you will be logging in from.
```
echo "myhost.eecs.berkeley.edu" > /tmp/shosts
```
Change the permissions of the file on you local machine so that it is only readable by you. Note that you can't run chmod on the remote machine under rksh, so you need to fix the permissions before you copy the file over.
```
chmod 0600 /tmp/shosts
```

Copy the file over:

scp /tmp/shosts gigasource:~/.shosts

Below is a sample session

ptolemy@myhost 4% echo "myhosts.eecs.berkeley.edu" > /tmp/shosts
ptolemy@myhost 5% chmod 0600 /tmp/shosts
ptolemy@myhost 6% scp /tmp/shosts gigasource:~/.shosts
Enter passphrase for RSA key 'ptolemy@myhost.eecs.berkeley.edu': your passphrase

^Mshosts                    |          0 KB |   0.0 kB/s | ETA: 00:00:00 | 100%

ptolemy@myhost 7%

On your Windows machine, check to see if the file c:\ssh\etc\ssh_host_key.pub exists:
1. If it does not exist, generate host keys on your Unix machine and copy them over. Note that the ssh-keygen command that is shipped with the Windows CVS SSH package will not work, you should run ssh-keygen on a Unix host. Note that the -N below indicates that your computer will not have a passphrase.
```
   cd /tmp
   ssh-keygen -b 1024 -f ssh_host_key -N ''
   
```
  On Windows, you can copy the files with scp. If you use scp here, note that scp does not understand the Windows c: naming convention, it think c: is a machine named 'c'. To copy the file under bash on Windows:
```
   cd c:/ssh/etc
   scp yourunixmachine:/tmp/ssh_host_key.pub .
   scp yourunixmachine:/tmp/ssh_host_key .
   
```
  On the Unix machine, remove /tmp/ssh_host_key
2. If c:/etc/ssh/ssh_host_key.pub exists on your Windows machine, copy it to a temporary file on the Unix machine:
```
        cd c:/ssh/etc
        scp ssh_host_key.pub yourunixmachine:/tmp
   
```
Set up ~/.ssh/known_hosts on gigasource: On gigasource, ~/.ssh/known_hosts lists hosts that are allowed to connect without a password. Since we can't edit files on gigasource from the restricted shell, we create the file on the local machine and copy it over to gigascale.
Note that if you are connecting from multiple machines, you will need to add a line to this file for each machine you are connecting from. The easiest way to do this is to use scp to transfer the file to a local machine, edit the file locally and then scp it back to gigasource.
1. Grab the contents of the copy of ssh_host_key.pub that you either generated or copied over, and create a temporary file
2. Add the fully qualified domain name of the windows machine to the beginning of the line. You should end up with something like
```
maury.eecs.berkeley.edu 1024 17 27348124368712489214987214872164987243
```
  Where the last number is several lines long.
3. Copy the file:
```
scp /tmp/known_hosts gigasource:~/.ssh/known_hosts
```
From the local machine, test ssh with:
```
ssh -v gigasource cvs
```
you should not have to type in your password.

Troubleshooting CVS SSH under NT

Run

ssh -v yourunixmachine cvs

and check the output, which should look like:

ptolemy@carson 8% ssh -v gigasource cvs
SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5.
Standard version.  Does not use RSAREF.
carson.eecs.berkeley.edu: Reading configuration data /etc/ssh_config
carson.eecs.berkeley.edu: ssh_connect: getuid 4035 geteuid 0 anon 0
carson.eecs.berkeley.edu: Connecting to gigasource [128.32.171.225] port 22.
carson.eecs.berkeley.edu: Allocated local port 1021.
carson.eecs.berkeley.edu: Connection established.
carson.eecs.berkeley.edu: Remote protocol version 1.5, remote software version \
1.2.26
carson.eecs.berkeley.edu: Waiting for server public key.
carson.eecs.berkeley.edu: Received server public key (768 bits) and host key (1\
024 bits).
carson.eecs.berkeley.edu: Host 'gigasource' is known and matches the host key.
carson.eecs.berkeley.edu: Initializing random; seed file /users/ptolemy/.ssh/ra\
ndom_seed
carson.eecs.berkeley.edu: Encryption type: idea
carson.eecs.berkeley.edu: Sent encrypted session key.
carson.eecs.berkeley.edu: Installing crc compensation attack detector.
carson.eecs.berkeley.edu: Received encrypted confirmation.
carson.eecs.berkeley.edu: Trying rhosts or /etc/hosts.equiv with RSA host authe\
ntication.
carson.eecs.berkeley.edu: Remote: Accepted by .shosts.
carson.eecs.berkeley.edu: Remote: Your host key cannot be verified: unknown or \
invalid host key.
carson.eecs.berkeley.edu: Remote: The host name used to check the key was 'cars\
on.eecs.berkeley.edu'.
carson.eecs.berkeley.edu: Remote: Try logging back from the server machine with\
 the canonical host name using ssh, and then try again.
carson.eecs.berkeley.edu: Server refused our rhosts authentication or host key.
carson.eecs.berkeley.edu: No agent.
carson.eecs.berkeley.edu: Trying RSA authentication with key 'ptolemy@maury.eec\
s.berkeley.edu'
carson.eecs.berkeley.edu: Received RSA challenge from server.
carson.eecs.berkeley.edu: Bad passphrase supplied for key file /users/ptolemy/.\
ssh/identity.
Enter passphrase for RSA key 'ptolemy@maury.eecs.berkeley.edu': your CVS passphrase

carson.eecs.berkeley.edu: Sending response to host key RSA challenge.
carson.eecs.berkeley.edu: Remote: RSA authentication accepted.
carson.eecs.berkeley.edu: RSA authentication accepted by server.
carson.eecs.berkeley.edu: Requesting X11 forwarding with authentication spoofin\
g.
carson.eecs.berkeley.edu: Sending command: cvs
carson.eecs.berkeley.edu: Entering interactive session.
Usage: cvs [cvs-options] command [command-options-and-arguments]
  where cvs-options are -q, -n, etc.
    (specify --help-options for a list of options)
  where command is add, admin, etc.
    (specify --help-commands for a list of commands
     or --help-synonyms for a list of command synonyms)
  where command-options-and-arguments depend on the specific command
    (specify -H followed by a command name for command-specific help)
  Specify --help to receive this message

The Concurrent Versions System (CVS) is a tool for version control.
For CVS updates and additional information, see
    Cyclic Software at http://www.cyclic.com/ or
    Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html
carson.eecs.berkeley.edu: Transferred: stdin 0, stdout 716, stderr 0 bytes in 0\
.1 seconds
carson.eecs.berkeley.edu: Bytes per second: stdin 0.0, stdout 12490.8, stderr 0\
.0
carson.eecs.berkeley.edu: Exit status 1
ptolemy@carson 9%

Check the value of the CVSROOT environment variable. It should be something like: :ext:myhost.eecs.berkeley.edu:/users/cvs/Repository
Be sure that you have created a key on the Unix side and copied the identity* files from Unix to NT
Be sure that $HOME is set for your NT account

Try using the ssh.exe binary that the $CVS_RSH variable refers to. Below is an example where we rsh over to carson and get the date:

     bash-2.02$ echo $CVS_RSH
     D:\Program Files\Ptolemy\CVS SSH\ssh.exe
     bash-2.02$ /Program\ Files/Ptolemy/CVS\ SSH/ssh carson date
     Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':
     ld.so.1: /usr/local/bin/xauth: warning: /usr/4lib/libXmu.so.4.0: has older revision than expected 10
     Thu Feb  4 15:35:06 PST 1999

Below is an example that failed because of an incorrect CVS password, note that the password is prompted for twice:

     bash-2.02$ /Program\ Files/Ptolemy/CVS\ SSH/ssh carson date
     Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':
     Bad passphrase.
     Password:
     Permission denied.
     bash-2.02$

Verify that you can use ssh to connect between two Unix boxes.

Check ssh_config. RSAAuthentication and/or RhostsRSAAuthentication must be turned on. One way to do this locally is by having an /Program\ Files/Ptolemy/CVS\ SSH/ssh_config file that looks like:

Host *
        RSAAuthentication yes
        RhostsRSAAuthentication yes
lt;br /></pre>
   </li><li> Verify that you can use ssh to connect between two Unix boxes.
   </li><li>
Check ssh_config. RSAAuthentication and/or RhostsRSAAuthentication must
be turned on. One way to do this locally is by having an /Program\
Files/Ptolemy/CVS\ SSH/ssh_config file that looks like:
<pre>Host *<br />        RSAAuthentication yes<br />        RhostsRSAAuthentication yes<br />

Reboot NT.

2:04 PM | Blog it

Comments

To add a comment, sign in with your Windows Live ID (if you use Hotmail, Messenger, or Xbox LIVE, you have a Windows Live ID). Sign in

Don't have a Windows Live ID? Sign up

Trackbacks

The trackback URL for this entry is:

http://amos1975.spaces.live.com/blog/cns!E3F1D5045734C6F9!263.trak

Weblogs that reference this entry

None