VC with CVS over SSH

VC with CVS over SSH

[Phillip Lord]

I am having some problems with using CVS within vc. The problem is
that my ssh connection is password prompting me, and vc-diff doesn't
like it (the password prompt comes up in a read only buffer).

Funnily enough pcl-cvs works fine with this, although the password
prompt that I get looks like its coming from GNOME, rather than emacs,
which was a bit of a surprise. 

Anyone got any ideas?

Phil

Re: VC with CVS over SSH

[Richard V. Molen]

Phillip Lord <p.lord@russet.org.uk> writes:

> I am having some problems with using CVS within vc. The problem is
> that my ssh connection is password prompting me, and vc-diff doesn't
> like it (the password prompt comes up in a read only buffer).

Use ssh-agent along with RSA or DSA passphrase.  There are many ways
to do this, here's one.

...From bash command line (after using ssh-keygen to generate either
an RSA or a DSA passphrase)...

exec ssh-agent $SHELL
ssh-add

...ssh-add will prompt for the passphrase and save the key for
ssh-agent.  Now anything started from that shell will not need a
password (nor passphrase) since the ssh-agent will pass the key
automagically....

emacs &

Hope this helps.

-- 
Richard V. Molen

Warning!!
Signature under construction, safety glasses required.

Re: VC with CVS over SSH

[Phillip Lord]

>>>>> "Richard" == Richard V Molen <rvmolen@bambecksystems.com> writes:

  Richard> Phillip Lord <p.lord@russet.org.uk> writes:

  >> I am having some problems with using CVS within vc. The problem
  >> is that my ssh connection is password prompting me, and vc-diff
  >> doesn't like it (the password prompt comes up in a read only
  >> buffer).

  Richard> Use ssh-agent along with RSA or DSA passphrase.  There are
  Richard> many ways to do this, here's one.

  Richard> ...From bash command line (after using ssh-keygen to
  Richard> generate either an RSA or a DSA passphrase)...

  Richard> exec ssh-agent $SHELL ssh-add

  Richard> ...ssh-add will prompt for the passphrase and save the key
  Richard> for ssh-agent.  Now anything started from that shell will
  Richard> not need a password (nor passphrase) since the ssh-agent
  Richard> will pass the key automagically....

  Richard> emacs &

  Richard> Hope this helps.

 
Okay, I guess you are right. I normally don't use ssh-agent, because
I found the documentation a little scary, but it probably is time to
learn it properly!

Thanks.

Phil

Re: VC with CVS over SSH

[Richard V. Molen]

Phillip Lord <p.lord@russet.org.uk> writes:
>  
> Okay, I guess you are right. I normally don't use ssh-agent, because
> I found the documentation a little scary, but it probably is time to
> learn it properly!
> 
> Thanks.
> 
> Phil

I did too.  It helped me to remember that the client generates the keys
and puts the public key(s) on the (sshd) server.  Also that ssh2 DSA is
sufficient if you have it; I think the rest is for historical support.

But I'm getting off topic.  Here's some helpful URLs.
www.tac.nyc.ny.us/kim/ssh/                    good ssh tutorial
www.openssl.org/support/faq.cgi  OpenSSL FAQ
www.oreilly.com/catalog/sshtdg/chapter/   O'Reilly book
www.uk.research.att.com/vnc/sshvnc.html       vnc ssh

If you're interested, I can email you a crude bash script you can run
on the client that will setup the first user on both client & server.


-- 
Richard V. Molen

Warning!!
Signature under construction, safety glasses required.

Re: VC with CVS over SSH

[Klaus Berndl]

On 25 Oct 2002, Richard V. Molen wrote:



>  Phillip Lord <p.lord@russet.org.uk> writes:
> >  
> > Okay, I guess you are right. I normally don't use ssh-agent, because
> > I found the documentation a little scary, but it probably is time to
> > learn it properly!
> > 
> > Thanks.
> > 
> > Phil
>  
>  I did too.  It helped me to remember that the client generates the keys
>  and puts the public key(s) on the (sshd) server.  Also that ssh2 DSA is
>  sufficient if you have it; I think the rest is for historical support.
>  
>  But I'm getting off topic.  Here's some helpful URLs.
>  www.tac.nyc.ny.us/kim/ssh/                    good ssh tutorial
>  www.openssl.org/support/faq.cgi  OpenSSL FAQ
>  www.oreilly.com/catalog/sshtdg/chapter/   O'Reilly book
>  www.uk.research.att.com/vnc/sshvnc.html       vnc ssh
>  
>  If you're interested, I can email you a crude bash script you can run
>  on the client that will setup the first user on both client & server.

If this is not too much effort for you, i would be also interested in this
script.

Klaus

-- 
Klaus Berndl			mailto: klaus.berndl@sdm.de
sd&m AG				http://www.sdm.de
software design & management	
Thomas-Dehler-Str. 27, 81737 München, Germany
Tel +49 89 63812-392, Fax -220

Re: VC with CVS over SSH

[Phillip Lord]

>>>>> "Klaus" == Klaus Berndl <Klaus.Berndl@sdm.de> writes:

  Klaus> On 25 Oct 2002, Richard V. Molen wrote:



  >> Phillip Lord <p.lord@russet.org.uk> writes:
  >> >   Okay, I guess you are right. I normally don't use ssh-agent,
  >> >   because I
  >> >found the documentation a little scary, but it probably is time
  >> >to learn it properly!
  >> >
  >> > Thanks.
  >> >
  >> > Phil
  >> I did too.  It helped me to remember that the client generates
  >> the keys and puts the public key(s) on the (sshd) server.  Also
  >> that ssh2 DSA is sufficient if you have it; I think the rest is
  >> for historical support.
  >>
  >> But I'm getting off topic.  Here's some helpful URLs.
  >> www.tac.nyc.ny.us/kim/ssh/ good ssh tutorial
  >> www.openssl.org/support/faq.cgi OpenSSL FAQ
  >> www.oreilly.com/catalog/sshtdg/chapter/ O'Reilly book
  >> www.uk.research.att.com/vnc/sshvnc.html vnc ssh
  >>
  >> If you're interested, I can email you a crude bash script you can
  >> run on the client that will setup the first user on both client &
  >> server.

  Klaus> If this is not too much effort for you, i would be also
  Klaus> interested in this script.

If its not sensitive, perhaps you could just post it. I would
certainly be interested. 

Cheers

Phil 

Re: VC with CVS over SSH

[Richard V. Molen]

Phillip Lord <p.lord@russet.org.uk> writes:

> >>>>> "Klaus" == Klaus Berndl <Klaus.Berndl@sdm.de> writes:
> 
>   Klaus> On 25 Oct 2002, Richard V. Molen wrote:
> 
>   >> But I'm getting off topic.  Here's some helpful URLs.
>   >> www.tac.nyc.ny.us/kim/ssh/ good ssh tutorial
>   >> www.openssl.org/support/faq.cgi OpenSSL FAQ
>   >> www.oreilly.com/catalog/sshtdg/chapter/ O'Reilly book
>   >> www.uk.research.att.com/vnc/sshvnc.html vnc ssh
>   >>
>   >> If you're interested, I can email you a crude bash script you can
>   >> run on the client that will setup the first user on both client &
>   >> server.
> 
>   Klaus> If this is not too much effort for you, i would be also
>   Klaus> interested in this script.
> 
> If its not sensitive, perhaps you could just post it. I would
> certainly be interested. 

Here it is, along with these disclaimers...
1. Use at your own risk.
2. I am not an expert on ssh nor bash.
3. Read the comments before running, this does delete some files.
4. Read the 'man ssh' page & 'good ssh tutorial' (above) first.

===start of script file===
#! /bin/bash
#Generates private & public keys for SSH access on client & server sides
#for the first time. Run this on client machine w/o arguments.
#
#--- DELETES/REPLACES prior authorized keys & config on BOTH client & server ---
#
#Modify this script if you need to preserve prior work on the
#client or the server.  If _you_ don't _already_ connect to this server from 
#other clients then use this w/o worry.
#
#This sets ssh to use only protocol version 2 DSA public key authentication.
#RSA key generation should work too, if uncommented.
#
#Makes config file that for client that is copied to server for its other clients.
#
#Ran script on a client running Cygwin bash 
#with "OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f"
#to a RH 7.3 Linux server running openssh daemon sshd.
#
#Note: For older versions DSA keys used separate files authorized_keys2 etc.  
#      on server 'man ssh' then /^FILES


echo "deleting 'authorized_keys' and all key files on client"
echo "deleting 'known_hosts' -- these will be recreated in this script"
cd ~/.ssh/
rm -f authorized_keys id* known_hosts

# echo "generate public & private keys -- these will ask for a passphrases"
# echo "Make private key file for RSA1 (protocol 1) using RSA"
# echo "~/.ssh/(identity identity.pub)"
# ssh-keygen
# cat identity.pub >> authorized_keys
# 
# echo "Make private key file for SSH2 (protocol 2) using RSA"
# echo "~/.ssh/(id_dsa id_dsa.pub) -- ssh2 protocol 2 only rsa"
# ssh-keygen -t rsa
# cat id_rsa.pub >> authorized_keys

echo "Make private key file for SSH2 (protocol 2) using DSA"
echo "~/.ssh/(id_dsa id_dsa.pub) -- ssh2 protocol 2 only dsa (replaces .rhost...)"
ssh-keygen -t dsa -f id_dsa
cat id_dsa.pub >> authorized_keys

echo "Disable ssh config file until end of script by"
echo "Renaming it from ~/.ssh/config file to config.OLD."
mv config config.OLD

echo "Copy public keys to server (sshd host)"
echo "If 'The authenticity of host ... can't be established.' ...SAY YES..."
echo "(saying yes puts server key in client's known_hosts file.)"
echo "expect to enter password..."
scp -p authorized_keys $RUSER@$RSERVER:.ssh/

echo "Disallow write permission for groups & others for ssh files"
echo "expect to enter passphrase or password..."
ssh -2 -i id_dsa $RUSER@$RSERVER chmod go-w . .ssh .ssh/authorized_keys

echo "Generate config file for client."
cat <<EOF >config
# ssh configuration file
#Should double on client and server with NFS-home ability
#Summary: use only ssh2/DSA key auth.  rename this file to experiment
# ref: 'man ssh' or 'info ssh' then '/CONFIGURATION FILES'

# each host can have different settings. * means 'the rest'
# Host 999.999.999.999
  Host *
# batch mode runs w/o user so no password/phrase requested.
# BatchMode no
# check ip address is in ~/.ssh/known_hosts
  CheckHostIP yes
# protocol version 1 session encryption
# Cipher blowfish
# protocol version 2 session encrpytion
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
  Compression yes
  CompressionLevel 6
# ConnectionAttempts 1
# EscapeChar ^]
  FallBackToRsh no
# ForwardAgent no
  ForwardX11 yes
# GatewayPorts no
# protocol 2 -- use rhosts authentication first.
  HostbasedAuthentication no
# key crypt algorithms to try in this order.
  HostKeyAlgorithms ssh-dss
# HostKeyAlias  for tunneling
# HostName -- specifies the real host name to log into.
# protocol 1 RSA1=identity, protocol 2 RSA=id_rsa, DSA=id_dsa
  IdentityFile ~/.ssh/id_dsa
  KeepAlive yes
# Kerberos...
# LocalForward host:port
  LogLevel INFO
# message authentication code algorithms in order of preference (protocol 2)
# MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
# Don't gripe about wrong host on NFS-home system.
  NoHostAuthenticationForLocalhost yes
  NumberOfPasswordPrompts 2
  PasswordAuthentication no
# Port 22
# protocol 2 preferred authentications default: publickey, password, keyboard-interactive
  PreferredAuthentications publickey
# Just use protocol 2
  Protocol 2
  PubkeyAuthentication yes
# RemoteForward host:port
# protocol 1 .rhosts check
# RhostsAuthenication no
# protocol 1 rhostrsa auth
# RhostsRSAAuthenication no
  ChallengeResponseAuthentication yes
# UsePrivilegedPort no
  User ric
  UseRsh no
# XAuthLocation /usr/X11R6/bin/xauth
# StrictHostKeyChecking: yes,no,ask  -- check client's known_hosts file for server key
EOF
echo "Clean up known_hosts file so that only DSA server key is therein"
echo "If 'The authenticity of host ... can't be established.' ...SAY YES..."
echo "expect to enter passphrase & see server's present working directory"
rm known_hosts

echo "try ssh to see if a passphrase is requested"
echo "expect to enter passphrase & see server's .ssh directory."
ssh $RUSER@$RSERVER ls -l .ssh

echo "Amend config file to require DSA key for server in client's known_hosts."
cat <<EOF >>config
# StrictHostKeyChecking: yes,no,ask  -- check client's known_hosts file for server key
  StrictHostKeyChecking yes
EOF

echo "Copy ssh config file to server (sshd host) for its other clients"
echo "It will replace servers config file"
echo "expect to enter passphrase..."
scp -p config $RUSER@$RSERVER:.ssh/

echo "...$0 is done -- ssh should be ready to use..."
echo "...if password support is needed edit ~/.ssh/config or rename it..."
===end of script file===

-- 
Richard V. Molen

Warning!!
Signature under construction, safety glasses required.