unofficial mirror of help-gnu-emacs@gnu.org
 help / color / mirror / Atom feed
From: rvmolen@bambecksystems.com (Richard V. Molen)
Subject: Re: VC with CVS over SSH
Date: 25 Oct 2002 09:55:40 -0700	[thread overview]
Message-ID: <usmyuv4oj.fsf@bambecksystems.com> (raw)
In-Reply-To: vf65vqoao2.fsf@rpc71.cs.man.ac.uk

Phillip Lord <p.lord@russet.org.uk> writes:

> >>>>> "Klaus" == Klaus Berndl <Klaus.Berndl@sdm.de> writes:
> 
>   Klaus> On 25 Oct 2002, Richard V. Molen wrote:
> 
>   >> But I'm getting off topic.  Here's some helpful URLs.
>   >> www.tac.nyc.ny.us/kim/ssh/ good ssh tutorial
>   >> www.openssl.org/support/faq.cgi OpenSSL FAQ
>   >> www.oreilly.com/catalog/sshtdg/chapter/ O'Reilly book
>   >> www.uk.research.att.com/vnc/sshvnc.html vnc ssh
>   >>
>   >> If you're interested, I can email you a crude bash script you can
>   >> run on the client that will setup the first user on both client &
>   >> server.
> 
>   Klaus> If this is not too much effort for you, i would be also
>   Klaus> interested in this script.
> 
> If its not sensitive, perhaps you could just post it. I would
> certainly be interested. 

Here it is, along with these disclaimers...
1. Use at your own risk.
2. I am not an expert on ssh nor bash.
3. Read the comments before running, this does delete some files.
4. Read the 'man ssh' page & 'good ssh tutorial' (above) first.

===start of script file===
#! /bin/bash
#Generates private & public keys for SSH access on client & server sides
#for the first time. Run this on client machine w/o arguments.
#
#--- DELETES/REPLACES prior authorized keys & config on BOTH client & server ---
#
#Modify this script if you need to preserve prior work on the
#client or the server.  If _you_ don't _already_ connect to this server from 
#other clients then use this w/o worry.
#
#This sets ssh to use only protocol version 2 DSA public key authentication.
#RSA key generation should work too, if uncommented.
#
#Makes config file that for client that is copied to server for its other clients.
#
#Ran script on a client running Cygwin bash 
#with "OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f"
#to a RH 7.3 Linux server running openssh daemon sshd.
#
#Note: For older versions DSA keys used separate files authorized_keys2 etc.  
#      on server 'man ssh' then /^FILES


echo "deleting 'authorized_keys' and all key files on client"
echo "deleting 'known_hosts' -- these will be recreated in this script"
cd ~/.ssh/
rm -f authorized_keys id* known_hosts

# echo "generate public & private keys -- these will ask for a passphrases"
# echo "Make private key file for RSA1 (protocol 1) using RSA"
# echo "~/.ssh/(identity identity.pub)"
# ssh-keygen
# cat identity.pub >> authorized_keys
# 
# echo "Make private key file for SSH2 (protocol 2) using RSA"
# echo "~/.ssh/(id_dsa id_dsa.pub) -- ssh2 protocol 2 only rsa"
# ssh-keygen -t rsa
# cat id_rsa.pub >> authorized_keys

echo "Make private key file for SSH2 (protocol 2) using DSA"
echo "~/.ssh/(id_dsa id_dsa.pub) -- ssh2 protocol 2 only dsa (replaces .rhost...)"
ssh-keygen -t dsa -f id_dsa
cat id_dsa.pub >> authorized_keys

echo "Disable ssh config file until end of script by"
echo "Renaming it from ~/.ssh/config file to config.OLD."
mv config config.OLD

echo "Copy public keys to server (sshd host)"
echo "If 'The authenticity of host ... can't be established.' ...SAY YES..."
echo "(saying yes puts server key in client's known_hosts file.)"
echo "expect to enter password..."
scp -p authorized_keys $RUSER@$RSERVER:.ssh/

echo "Disallow write permission for groups & others for ssh files"
echo "expect to enter passphrase or password..."
ssh -2 -i id_dsa $RUSER@$RSERVER chmod go-w . .ssh .ssh/authorized_keys

echo "Generate config file for client."
cat <<EOF >config
# ssh configuration file
#Should double on client and server with NFS-home ability
#Summary: use only ssh2/DSA key auth.  rename this file to experiment
# ref: 'man ssh' or 'info ssh' then '/CONFIGURATION FILES'

# each host can have different settings. * means 'the rest'
# Host 999.999.999.999
  Host *
# batch mode runs w/o user so no password/phrase requested.
# BatchMode no
# check ip address is in ~/.ssh/known_hosts
  CheckHostIP yes
# protocol version 1 session encryption
# Cipher blowfish
# protocol version 2 session encrpytion
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
  Compression yes
  CompressionLevel 6
# ConnectionAttempts 1
# EscapeChar ^]
  FallBackToRsh no
# ForwardAgent no
  ForwardX11 yes
# GatewayPorts no
# protocol 2 -- use rhosts authentication first.
  HostbasedAuthentication no
# key crypt algorithms to try in this order.
  HostKeyAlgorithms ssh-dss
# HostKeyAlias  for tunneling
# HostName -- specifies the real host name to log into.
# protocol 1 RSA1=identity, protocol 2 RSA=id_rsa, DSA=id_dsa
  IdentityFile ~/.ssh/id_dsa
  KeepAlive yes
# Kerberos...
# LocalForward host:port
  LogLevel INFO
# message authentication code algorithms in order of preference (protocol 2)
# MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
# Don't gripe about wrong host on NFS-home system.
  NoHostAuthenticationForLocalhost yes
  NumberOfPasswordPrompts 2
  PasswordAuthentication no
# Port 22
# protocol 2 preferred authentications default: publickey, password, keyboard-interactive
  PreferredAuthentications publickey
# Just use protocol 2
  Protocol 2
  PubkeyAuthentication yes
# RemoteForward host:port
# protocol 1 .rhosts check
# RhostsAuthenication no
# protocol 1 rhostrsa auth
# RhostsRSAAuthenication no
  ChallengeResponseAuthentication yes
# UsePrivilegedPort no
  User ric
  UseRsh no
# XAuthLocation /usr/X11R6/bin/xauth
# StrictHostKeyChecking: yes,no,ask  -- check client's known_hosts file for server key
EOF
echo "Clean up known_hosts file so that only DSA server key is therein"
echo "If 'The authenticity of host ... can't be established.' ...SAY YES..."
echo "expect to enter passphrase & see server's present working directory"
rm known_hosts

echo "try ssh to see if a passphrase is requested"
echo "expect to enter passphrase & see server's .ssh directory."
ssh $RUSER@$RSERVER ls -l .ssh

echo "Amend config file to require DSA key for server in client's known_hosts."
cat <<EOF >>config
# StrictHostKeyChecking: yes,no,ask  -- check client's known_hosts file for server key
  StrictHostKeyChecking yes
EOF

echo "Copy ssh config file to server (sshd host) for its other clients"
echo "It will replace servers config file"
echo "expect to enter passphrase..."
scp -p config $RUSER@$RSERVER:.ssh/

echo "...$0 is done -- ssh should be ready to use..."
echo "...if password support is needed edit ~/.ssh/config or rename it..."
===end of script file===

-- 
Richard V. Molen

Warning!!
Signature under construction, safety glasses required.

      reply	other threads:[~2002-10-25 16:55 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-10-24 14:18 VC with CVS over SSH Phillip Lord
2002-10-24 19:37 ` Richard V. Molen
2002-10-25 12:52   ` Phillip Lord
2002-10-25 13:57     ` Richard V. Molen
2002-10-25 14:15       ` Klaus Berndl
2002-10-25 14:28         ` Phillip Lord
2002-10-25 16:55           ` Richard V. Molen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=usmyuv4oj.fsf@bambecksystems.com \
    --to=rvmolen@bambecksystems.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).