[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VC with CVS over SSH

From: Richard V. Molen
Subject: Re: VC with CVS over SSH
Date: 25 Oct 2002 09:55:40 -0700
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2

Phillip Lord <> writes:

> >>>>> "Klaus" == Klaus Berndl <> writes:
>   Klaus> On 25 Oct 2002, Richard V. Molen wrote:
>   >> But I'm getting off topic.  Here's some helpful URLs.
>   >> good ssh tutorial
>   >> OpenSSL FAQ
>   >> O'Reilly book
>   >> vnc ssh
>   >>
>   >> If you're interested, I can email you a crude bash script you can
>   >> run on the client that will setup the first user on both client &
>   >> server.
>   Klaus> If this is not too much effort for you, i would be also
>   Klaus> interested in this script.
> If its not sensitive, perhaps you could just post it. I would
> certainly be interested. 

Here it is, along with these disclaimers...
1. Use at your own risk.
2. I am not an expert on ssh nor bash.
3. Read the comments before running, this does delete some files.
4. Read the 'man ssh' page & 'good ssh tutorial' (above) first.

===start of script file===
#! /bin/bash
#Generates private & public keys for SSH access on client & server sides
#for the first time. Run this on client machine w/o arguments.
#--- DELETES/REPLACES prior authorized keys & config on BOTH client & server ---
#Modify this script if you need to preserve prior work on the
#client or the server.  If _you_ don't _already_ connect to this server from 
#other clients then use this w/o worry.
#This sets ssh to use only protocol version 2 DSA public key authentication.
#RSA key generation should work too, if uncommented.
#Makes config file that for client that is copied to server for its other 
#Ran script on a client running Cygwin bash 
#with "OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f"
#to a RH 7.3 Linux server running openssh daemon sshd.
#Note: For older versions DSA keys used separate files authorized_keys2 etc.  
#      on server 'man ssh' then /^FILES

echo "deleting 'authorized_keys' and all key files on client"
echo "deleting 'known_hosts' -- these will be recreated in this script"
cd ~/.ssh/
rm -f authorized_keys id* known_hosts

# echo "generate public & private keys -- these will ask for a passphrases"
# echo "Make private key file for RSA1 (protocol 1) using RSA"
# echo "~/.ssh/(identity"
# ssh-keygen
# cat >> authorized_keys
# echo "Make private key file for SSH2 (protocol 2) using RSA"
# echo "~/.ssh/(id_dsa -- ssh2 protocol 2 only rsa"
# ssh-keygen -t rsa
# cat >> authorized_keys

echo "Make private key file for SSH2 (protocol 2) using DSA"
echo "~/.ssh/(id_dsa -- ssh2 protocol 2 only dsa (replaces 
ssh-keygen -t dsa -f id_dsa
cat >> authorized_keys

echo "Disable ssh config file until end of script by"
echo "Renaming it from ~/.ssh/config file to config.OLD."
mv config config.OLD

echo "Copy public keys to server (sshd host)"
echo "If 'The authenticity of host ... can't be established.' ...SAY YES..."
echo "(saying yes puts server key in client's known_hosts file.)"
echo "expect to enter password..."
scp -p authorized_keys $RUSER@$RSERVER:.ssh/

echo "Disallow write permission for groups & others for ssh files"
echo "expect to enter passphrase or password..."
ssh -2 -i id_dsa $RUSER@$RSERVER chmod go-w . .ssh .ssh/authorized_keys

echo "Generate config file for client."
cat <<EOF >config
# ssh configuration file
#Should double on client and server with NFS-home ability
#Summary: use only ssh2/DSA key auth.  rename this file to experiment
# ref: 'man ssh' or 'info ssh' then '/CONFIGURATION FILES'

# each host can have different settings. * means 'the rest'
# Host 999.999.999.999
  Host *
# batch mode runs w/o user so no password/phrase requested.
# BatchMode no
# check ip address is in ~/.ssh/known_hosts
  CheckHostIP yes
# protocol version 1 session encryption
# Cipher blowfish
# protocol version 2 session encrpytion
# Ciphers 
  Compression yes
  CompressionLevel 6
# ConnectionAttempts 1
# EscapeChar ^]
  FallBackToRsh no
# ForwardAgent no
  ForwardX11 yes
# GatewayPorts no
# protocol 2 -- use rhosts authentication first.
  HostbasedAuthentication no
# key crypt algorithms to try in this order.
  HostKeyAlgorithms ssh-dss
# HostKeyAlias  for tunneling
# HostName -- specifies the real host name to log into.
# protocol 1 RSA1=identity, protocol 2 RSA=id_rsa, DSA=id_dsa
  IdentityFile ~/.ssh/id_dsa
  KeepAlive yes
# Kerberos...
# LocalForward host:port
  LogLevel INFO
# message authentication code algorithms in order of preference (protocol 2)
# MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
# Don't gripe about wrong host on NFS-home system.
  NoHostAuthenticationForLocalhost yes
  NumberOfPasswordPrompts 2
  PasswordAuthentication no
# Port 22
# protocol 2 preferred authentications default: publickey, password, 
  PreferredAuthentications publickey
# Just use protocol 2
  Protocol 2
  PubkeyAuthentication yes
# RemoteForward host:port
# protocol 1 .rhosts check
# RhostsAuthenication no
# protocol 1 rhostrsa auth
# RhostsRSAAuthenication no
  ChallengeResponseAuthentication yes
# UsePrivilegedPort no
  User ric
  UseRsh no
# XAuthLocation /usr/X11R6/bin/xauth
# StrictHostKeyChecking: yes,no,ask  -- check client's known_hosts file for 
server key
echo "Clean up known_hosts file so that only DSA server key is therein"
echo "If 'The authenticity of host ... can't be established.' ...SAY YES..."
echo "expect to enter passphrase & see server's present working directory"
rm known_hosts

echo "try ssh to see if a passphrase is requested"
echo "expect to enter passphrase & see server's .ssh directory."
ssh $RUSER@$RSERVER ls -l .ssh

echo "Amend config file to require DSA key for server in client's known_hosts."
cat <<EOF >>config
# StrictHostKeyChecking: yes,no,ask  -- check client's known_hosts file for 
server key
  StrictHostKeyChecking yes

echo "Copy ssh config file to server (sshd host) for its other clients"
echo "It will replace servers config file"
echo "expect to enter passphrase..."
scp -p config $RUSER@$RSERVER:.ssh/

echo "...$0 is done -- ssh should be ready to use..."
echo "...if password support is needed edit ~/.ssh/config or rename it..."
===end of script file===

Richard V. Molen

Signature under construction, safety glasses required.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]