WinCVS with SSH authentication
This is a guide to using WinCVS with SSH authentication (as opposed to pserver authentication).
The best SSH implementation for Windows is, as far as I know, putty. Its usability, quality, ease of use etc. is good. You'll need to download the programs putty, pageant, puttygen and plink from its homepage.
Generating your keys
First, start puttygen:
We'll be using it to generate your public and private key, which will be used for authenticating with the SSH based CVS server/repository.
First, click "SSH2 DSA" to select a proper SSH2 based key (SSH2 is more secure than SSH1), then click "Generate" to have your key generated. You'll be asked to move the mouse pointer around on the window, which will give the program some initial random data to chew on. Then, type in a secret passphrase (password) in the "key passphrase" textbox and repeat it in the one below. Keep this for yourself. It should be a good password with random characters (uppercase and lowercase), and should also contain numbers. Then click "Save private key" and pick a safe location (you are storing your private key, the secret part of your key), a place where it won't be tampered with or used by unauthorized personnel. Also select the public part of the key ("Public key for pasting into authorized_keys2 file"), right-click and copy the contents to your clipboard (actually, authorized_keys2 is misleading, OpenSSH went back to using authorized_keys for SSH2 keys also, so use authorized_keys and keep your OpenSSH up to date). Then, either do:
a) If you're already familiar with ssh, log in on your CVS server (if you're allowed to do that) and paste the contents of your public key in ~/.ssh/authorized_keys in one line. Chmod the file to mode 0600.
b) Send your public key to your CVS administrator by mail and let him put it where it should be.
NB: Make sure it is your public key your are authorizing and copying around, you must keep your private key secret. Also, consider using from= and other measures in your authorized_keys files to limit the access for this authorization (see the sshd man page for more information).
Using pageant, the SSH key authentication agent
Pageant is your friend. It will do your authentication so you don't have to type password for every CVS operation. First, start it:
Next, rightclick its new icon in the tray, and select add key:
Locate your private key, and type inn the passphrase you used when generating the key with puttygen. That makes it possible to log in directly to your CVS account without typing passwords. This may be a security problem, please make sure you read this document entirely -- there are security considerations you need to know in the end of it.
Oh, and, you need to repeat this step, starting pageant, and adding your key for every time you want to use this type of SSH authentication. But you only need to do it once for each time you log in.
Creating a putty saved session for WinCVS to use
Walk down to the Connection category, and under "Auto-login username" under "Data to send to the server", type in the (SSH) username you wish to use on the CVS server:
Then go to the SSH section in the Connection category, and locate your private SSH key that you generated using puttygen:
Go back to the Session category, type in the hostname of your CVS server, choose SSH as protocol, type in a session name, and click Save:
Then test it by double-clicking the session name from the list of "Saved Sessions". Your login should then work automatically, without asking you for a username or password. If it doesn't, you need to go backwards in this guide and see where you did something wrong:
- Is your public key authorized on the CVS server?
- Is your private key added to a running pageant program (it should be in your tray)?
- Did you configure your putty session properly?
If it works fine however, exit putty and continue.
Using WinCVS with your new SSH setup
I assume you have already installed a recent version of WinCVS downloaded from www.wincvs.org. As I write this, I am currently using WinCVS 1.2. Start it.
Type in the CVSROOT. It should be your username, @, the SSH session name you stored in putty, a colon, and the path for the CVS repository on the CVS server. Select SSH server for authentication.
Click the Ports tab, check the checkbox for "Check for an alternate rsh name", and type in the full path for your plink program (downloaded from the putty pages). Click OK. This is it. You should be able to check out files and work with WinCVS as normal. Securely (authenticated and encrypted), too. You do not need to use Login and Logout on the Admin menu, putty and friends do that stuff for you.
Please. Do make sure the security and integrity of the host using WinCVS and plink/pageant is good. Put your keys and work on a local filesystem, and make sure only authorized personnel has access to the host. You are accessing a CVS repository, which most likely is a very valuable and also unfortunately vulnerable system. Losing the CVS servers data, the password you use to access the CVS server or your SSH keys to unauthorized personnel must not happen.
Make sure you configure Putty to use SSH protocol version 2. SSH1 is known to have fundamental flaws (and may or may not be subject to for example man in the middle attacks) and is very much so not ideal -- even though SSH1 based servers are still developed and fixed for known weaknesses.
The CVS shell
I wrote a small shell script that which you can use for login shell for users that are only supposed to use CVS and nothing else. It can be found here. I make no guarantees of the security of this script, but it should be better to use it than to give full SSH login access to users that you only want to be able to use CVS.
Make sure your SSH daemon software is up to date. I recommend OpenSSH.
If you have any comments, additions or find anything wrong, please let me know. Be aware however, that I do not provide free WinCVS/CVS/SSH support. Feedback will be stored and used when updating this page only. If you wish commercial help on an hourly basis, please state that in your enquiry.
2003-11-04: Updated the page on Putty steps and also some hints on debugging problems. Thanks to Brenda Bell for tips, and Morten Kjelkenes for testing.
2004-12-29: After a long break, I've started to look at updating this page again. Moved it to www.bsdconsulting.no, my consulting website.
Last modified: Wed Dec 29 23:21:49 CET 2004