Search: 
 
View
  By section
  As outline
  Fully expanded

FAQ sections
  cvs

Questions
  Getting account
  Getting started
  cvs-remote-links
  CVS Clients
  cvs-local-resources
  common-commands
  common-tasks
  CVS and Eclipse
  admin-commands
  EDITOR-variable
  no password
  cvs-laptop
  change-password
  cvs-authoring
  Administrator/mkpasswd
  CVS account name
  Cygwin home dir
  Cygwin CR/NL problems
  Who gets one?
  anonymous access
  SCCS/RCS/CVS conversion
  Failed to connect . . .
  cvs update is slow
  cvs mail
  Cygwin copy & paste
  CVS Web Interface
  SVN vs CVS
  CVS on the Mac
 
Software Development
FAQ
CVS
Previous section  |  This section  |  Next section
Previous question  |  This question  |  Next question

How do I use CVS without typing my password each time?
Christopher Brooks, 18 Jul 2000
Last updated: 13 Sep 2005

To use CVS without typing your password, you will need an individual account on gigasource.

If your CVS account was created after September 2000, then it is fairly likely that you already have an individual account.

If you would like to check, log in to your cvs account on gigasource and run pwd.

  • If your home directory is /home/cvsusers then you not have an individual account. You should follow the instructions in How do I get a CVS account? and request an individual account. In the comments section be sure to state that you think you have a shared account and that you would like your account recreated as an individual account so that you do not have to type your password.
    A GSRC Adminstrators will edit /etc/passwd and /etc/shadow and remove your account and then recreate your account.
    GSRC Admins can view How are cvs accounts created? for details.
  • If your home directory is anything but /home/cvsusers, then you already have an individual account, and you can proceed without sending email
    • For example, the ptolemy users does not have an individual account, so email should be sent: 
    cxh@maury 1% ssh gigasource -l ptolemy
ptolemy@gigasource's password:

Last login: Mon Mar 26 22:01:19 2001 from julian.eecs.ber
$ pwd
/home/cvsusers
$ exit
Connection to gigasource closed.
cxh@maury 2%

    The steps below are slightly modified from the CVS SSH instructions

    SSH (and therefore CVS) can use RSA and Rhosts style authentication to make it so that you can login without typing your password. Using Rhosts authentication alone is insecure, and most CVS servers (this one included) disallow it. RSA can be used with or without Rhosts authentication. Using RSA alone, any user with the appropriate RSA key and passphrase can access the repository. Using RSA and Rhosts restricts repository access to only computers listed in Rhosts that also have the appropriate RSA key.

    Note that for RSA with Rhosts authentication to work, each host that you are logging in from needs to be listed in two files. If you are connecting from multiple hosts via dynamic DSL, then each time you connect, you are likely to have a different address, which makes managing the file difficult. There are several possible solutions, one is to try to use wildcards in ~/.ssh/known_hosts and ~/.shosts, the other is to run a script that updates these files automatically. Both solutions are complex and have security issues, so we do not cover them here. It is much simpler to use RSA authentication alone in this case.

    RSA authentication

    Once your account has been set up, do the following:

    1. Create ~/.ssh/id_rsa.pub on the local machine: If ~/.ssh/id_rsa.pub does not exist, on your local machine, then create it by running ssh-keygen -t rsa
      When prompted for a passphrase, hit return. If you type in a passphrase here, you will be prompted for that passphrase each time.
      Running ssh-keygen will generate the files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, which are your private and public encryption keys respectively.
    2. Create ~/.ssh/authorized_keys2 on gigasource: Set the permission of ~/.ssh/id_rsa.pub to 0644 and then copy ~/.ssh/id_rsa.pub over to ~/.ssh/authorized_keys2 with the scp -p flag to preserve permissions. 
      chmod 0644 ~/.ssh/id_rsa.pub
scp -p ~/.ssh/id_rsa.pub yourgigasourcelogin@gigasource:~/.ssh/authorized_keys2
      where yourgigasourcelogin is the your CVS login on gigasource.
    3. From the local machine, test ssh with: 
      ssh yourgigasourcelogin@gigasource cvs
      to check the set up.
    Below is a sample run 
    cxh@DOPLAP03 ~
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/cygdrive/c/cxh/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /cygdrive/c/cxh/.ssh/id_rsa.
Your public key has been saved in /cygdrive/c/cxh/.ssh/id_rsa.pub.
The key fingerprint is:
03:2a:8a:3b:96:93:6b:74:86:c8:ea:30:e2:c9:11:68 cxh@DOPLAP03

cxh@DOPLAP03 ~
$ chmod 0644 ~/.ssh/id_rsa.pub

cxh@DOPLAP03 ~
$ scp ~/.ssh/id_rsa.pub cxh@gigasource:~/.ssh/authorized_keys2
The authenticity of host 'gigasource (128.32.171.225)' can't be established.
RSA key fingerprint is 74:57:84:9b:ca:b8:44:1d:fa:f0:e3:27:29:ac:19:c6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'gigasource,128.32.171.225' (RSA) to the list of know
n hosts.
cxh@gigasource's password:
id_rsa.pub           100% |*****************************|   222       00:00

cxh@DOPLAP03 ~
$ ssh cxh@gigasource cvs
Usage: cvs [cvs-options] command [command-options-and-arguments]
  where cvs-options are -q, -n, etc.
    (specify --help-options for a list of options)
  where command is add, admin, etc.
    (specify --help-commands for a list of commands
     or --help-synonyms for a list of command synonyms)
  where command-options-and-arguments depend on the specific command
    (specify -H followed by a command name for command-specific help)
  Specify --help to receive this message

The Concurrent Versions System (CVS) is a tool for version control.
For CVS updates and additional information, see
    the CVS home page at http://www.cvshome.org/ or
    Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html

cxh@DOPLAP03 ~
$
    The above steps should not prompt you for your password each time you run a cvs command. There are two ways to enable yourself to not type a passphrase each time.

    The first is to use only RSA authentication as described above, and give an empty passphrase. Note that this means that if someone steals your laptop and breaks into your account, they will be able to use the ssh command to get on to your Unix account. RSA authentication works with ssh1 and ss2.

    The second way is to set up Rhosts RSA authentication, which currently only works with ssh1. In this case, ssh will authenticate your computer instead of you. It is somewhat safer for your computer to log in without a password because the CVS server can determine where your computer is located. Your computer can only login without a password if it also has the correct name and IP. This method is shown below.

    Rhosts RSA authentication

    These instructions apply to ssh1 clients, like the version of ssh that is currently shipped with cvsssh. For ssh2, see above.
    1. Setup ~/.shosts on gigasource: Create a temporary file on your local machine that contains the name of the host you will be logging in from. 
      echo "myhost.eecs.berkeley.edu" > /tmp/shosts
    2. Change the permissions of the file on you local machine so that it is only readable by you. Note that you can't run chmod on the remote machine under rksh, so you need to fix the permissions before you copy the file over. 
      chmod 0600 /tmp/shosts
    3. Copy the file over: 
      scp /tmp/shosts gigasource:~/.shosts
      Below is a sample session 
      ptolemy@myhost 4% echo "myhosts.eecs.berkeley.edu" > /tmp/shosts
ptolemy@myhost 5% chmod 0600 /tmp/shosts
ptolemy@myhost 6% scp /tmp/shosts gigasource:~/.shosts
Enter passphrase for RSA key 'ptolemy@myhost.eecs.berkeley.edu': your passphrase

^Mshosts                    |          0 KB |   0.0 kB/s | ETA: 00:00:00 | 100%

ptolemy@myhost 7%
    4. On your Windows machine, check to see if the file c:\ssh\etc\ssh_host_key.pub exists:
      1. If it does not exist, generate host keys on your Unix machine and copy them over. Note that the ssh-keygen command that is shipped with the Windows CVS SSH package will not work, you should run ssh-keygen on a Unix host. Note that the -N below indicates that your computer will not have a passphrase. 
           cd /tmp
   ssh-keygen -b 1024 -f ssh_host_key -N ''
        On Windows, you can copy the files with scp. If you use scp here, note that scp does not understand the Windows c: naming convention, it think c: is a machine named 'c'. To copy the file under bash on Windows: 
           cd c:/ssh/etc
   scp yourunixmachine:/tmp/ssh_host_key.pub .
   scp yourunixmachine:/tmp/ssh_host_key .
        On the Unix machine, remove /tmp/ssh_host_key
      2. If c:/etc/ssh/ssh_host_key.pub exists on your Windows machine, copy it to a temporary file on the Unix machine: 
                cd c:/ssh/etc
        scp ssh_host_key.pub yourunixmachine:/tmp
    5. Set up ~/.ssh/known_hosts on gigasource: On gigasource, ~/.ssh/known_hosts lists hosts that are allowed to connect without a password. Since we can't edit files on gigasource from the restricted shell, we create the file on the local machine and copy it over to gigascale.
      Note that if you are connecting from multiple machines, you will need to add a line to this file for each machine you are connecting from. The easiest way to do this is to use scp to transfer the file to a local machine, edit the file locally and then scp it back to gigasource.
      1. Grab the contents of the copy of ssh_host_key.pub that you either generated or copied over, and create a temporary file
      2. Add the fully qualified domain name of the windows machine to the beginning of the line. You should end up with something like 
        maury.eecs.berkeley.edu 1024 17 27348124368712489214987214872164987243
        Where the last number is several lines long.
      3. Copy the file: 
        scp /tmp/known_hosts gigasource:~/.ssh/known_hosts
    6. From the local machine, test ssh with: 
      ssh -v gigasource cvs
      you should not have to type in your password.

    Troubleshooting CVS SSH under NT

    1. Run 
      ssh -v yourunixmachine cvs
      and check the output, which should look like: 
      ptolemy@carson 8% ssh -v gigasource cvs
SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5.
Standard version.  Does not use RSAREF.
carson.eecs.berkeley.edu: Reading configuration data /etc/ssh_config
carson.eecs.berkeley.edu: ssh_connect: getuid 4035 geteuid 0 anon 0
carson.eecs.berkeley.edu: Connecting to gigasource [128.32.171.225] port 22.
carson.eecs.berkeley.edu: Allocated local port 1021.
carson.eecs.berkeley.edu: Connection established.
carson.eecs.berkeley.edu: Remote protocol version 1.5, remote software version \
1.2.26
carson.eecs.berkeley.edu: Waiting for server public key.
carson.eecs.berkeley.edu: Received server public key (768 bits) and host key (1\
024 bits).
carson.eecs.berkeley.edu: Host 'gigasource' is known and matches the host key.
carson.eecs.berkeley.edu: Initializing random; seed file /users/ptolemy/.ssh/ra\
ndom_seed
carson.eecs.berkeley.edu: Encryption type: idea
carson.eecs.berkeley.edu: Sent encrypted session key.
carson.eecs.berkeley.edu: Installing crc compensation attack detector.
carson.eecs.berkeley.edu: Received encrypted confirmation.
carson.eecs.berkeley.edu: Trying rhosts or /etc/hosts.equiv with RSA host authe\
ntication.
carson.eecs.berkeley.edu: Remote: Accepted by .shosts.
carson.eecs.berkeley.edu: Remote: Your host key cannot be verified: unknown or \
invalid host key.
carson.eecs.berkeley.edu: Remote: The host name used to check the key was 'cars\
on.eecs.berkeley.edu'.
carson.eecs.berkeley.edu: Remote: Try logging back from the server machine with\
 the canonical host name using ssh, and then try again.
carson.eecs.berkeley.edu: Server refused our rhosts authentication or host key.
carson.eecs.berkeley.edu: No agent.
carson.eecs.berkeley.edu: Trying RSA authentication with key 'ptolemy@maury.eec\
s.berkeley.edu'
carson.eecs.berkeley.edu: Received RSA challenge from server.
carson.eecs.berkeley.edu: Bad passphrase supplied for key file /users/ptolemy/.\
ssh/identity.
Enter passphrase for RSA key 'ptolemy@maury.eecs.berkeley.edu': your CVS passphrase

carson.eecs.berkeley.edu: Sending response to host key RSA challenge.
carson.eecs.berkeley.edu: Remote: RSA authentication accepted.
carson.eecs.berkeley.edu: RSA authentication accepted by server.
carson.eecs.berkeley.edu: Requesting X11 forwarding with authentication spoofin\
g.
carson.eecs.berkeley.edu: Sending command: cvs
carson.eecs.berkeley.edu: Entering interactive session.
Usage: cvs [cvs-options] command [command-options-and-arguments]
  where cvs-options are -q, -n, etc.
    (specify --help-options for a list of options)
  where command is add, admin, etc.
    (specify --help-commands for a list of commands
     or --help-synonyms for a list of command synonyms)
  where command-options-and-arguments depend on the specific command
    (specify -H followed by a command name for command-specific help)
  Specify --help to receive this message

The Concurrent Versions System (CVS) is a tool for version control.
For CVS updates and additional information, see
    Cyclic Software at http://www.cyclic.com/ or
    Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html
carson.eecs.berkeley.edu: Transferred: stdin 0, stdout 716, stderr 0 bytes in 0\
.1 seconds
carson.eecs.berkeley.edu: Bytes per second: stdin 0.0, stdout 12490.8, stderr 0\
.0
carson.eecs.berkeley.edu: Exit status 1
ptolemy@carson 9%
    2. Check the value of the CVSROOT environment variable. It should be something like: :ext:myhost.eecs.berkeley.edu:/users/cvs/Repository
    3. Be sure that you have created a key on the Unix side and copied the identity* files from Unix to NT
    4. Be sure that $HOME is set for your NT account
    5. Try using the ssh.exe binary that the $CVS_RSH variable refers to. Below is an example where we rsh over to carson and get the date: 
           bash-2.02$ echo $CVS_RSH
     D:\Program Files\Ptolemy\CVS SSH\ssh.exe
     bash-2.02$ /Program\ Files/Ptolemy/CVS\ SSH/ssh carson date
     Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':
     ld.so.1: /usr/local/bin/xauth: warning: /usr/4lib/libXmu.so.4.0: has older revision than expected 10
     Thu Feb  4 15:35:06 PST 1999
      Below is an example that failed because of an incorrect CVS password, note that the password is prompted for twice: 
           bash-2.02$ /Program\ Files/Ptolemy/CVS\ SSH/ssh carson date
     Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':
     Bad passphrase.
     Password:
     Permission denied.
     bash-2.02$
    6. Verify that you can use ssh to connect between two Unix boxes.
    7. Check ssh_config. RSAAuthentication and/or RhostsRSAAuthentication must be turned on. One way to do this locally is by having an /Program\ Files/Ptolemy/CVS\ SSH/ssh_config file that looks like: 
      Host *
        RSAAuthentication yes
        RhostsRSAAuthentication yes
    8. Reboot NT.
    		 
    Previous section  |  This section  |  Next section
    Previous question  |  This question  |  Next question
    You are not logged in
    ©1998-2008 GSRC