Ssh notes

When using ssh to access repositories on cdcvs, you have pretty much two possibilities,
authenticating with Kerberos, or with public key access. Not configuring this right
tends to get you errors like:

  • cvs check_access scripts telling you '"cvsuser" isn't allowed to commit to whatever'
  • svn errors like:
     sh: -c: line 0: syntax error near unexpected token `('
     sh: -c: line 0: `svnserve --tunnel-user (null)  -t'
  • email hook scripts generating:
      File "/usr/lib64/python2.6/", line 22, in __getitem__
        raise KeyError(key)
    KeyError: 'REMOTEUSER'
    error: hooks/post-receive exited with error code 1 

kerberos configuration

To make sure your ssh client forwards credentials to make our who-is-this-user
scripts and restricted login shell happy, please add:

 ForwardX11 = no
 GSSAPIAuthentication yes
 GSSAPIDelegateCredentials yes

and on some newer systems

to your $HOME/.ssh/config file and all should be well.

...However if you have problems:

The problem is usually the clock. Check that the UTC time from

   date -u 

is correct.

Do you have a valid kerberos ticket ?

   klist -f

Do you have an addressless ticket, if working behind a NAT,as is often the case outside Fermilab ?
Look for the A flag in the klist -f output. To get an addressless ticket:

        kinit -A 

        kinit -n

depending on which kinit you have

Are you using an ssh which supports kerberized ssh ?

Are you using /usr/kerberos/bin/kinit, not the JRE or java version ?

    which kinit

You can override the .ssh/config with:

    ssh -o "GSSAPIAuthentication yes" -o "GSSAPIDelegateCredentials yes" ...

To debug the connection process, do

    ssh  -v

and for really full details,
    ssh -vvv 

public key access

  • Make sure ssh is installed on your system. These instructions have been tested with openssh version 3.5, you can check what version you have by running
      ssh -V
  • If you don't have one, create an ssh key pair, by running:

    It will ask you for a passphrase to keep your private key encrypted. Do not use your system password, etc. for this passphrase, rather pick a nice long phrase, but one you can remember. You can change it later with

          ssh-keygen -p

    This will create $HOME/.ssh/id_dsa and $HOME/.ssh/, which are your private and public keys, respectively. You should copy these key files (or even your whole .ssh directory) to whatever computer accounts you have, so that you can establish your key authentication from that account. And of course you should keep the id_dsa file readable only by you.

    Cygwin/NT users unfortunately currently must have a key with an empty passphrase (until certain Cygwin bugs are either fixed or worked around). They should use a separate key for their NT accounts than their others, and use directory/file permissions to keep the key file as safe as possible.

  • If you haven't already, add this to your $HOME/.profile on your UNIX accounts (currently we cannot do this on Cygwin/NT).
              export CVS_RSH
              if [ x$SSH_AUTH_SOCK = x ]
                  echo Doing ssh stuff...
                  eval `ssh-agent`

    and this to your $HOME/.login

              setenv CVS_RSH ssh
              if ( ! $?SSH_AUTH_SOCK ) then
                  echo Doing ssh stuff...
                  eval `ssh-agent -c`

    Finally, you may need, in your $HOME/.ssh/config file:

        ForwardX11 = no
        ForwardAgent true

    To make sure your ssh-agent connection is forwarded to cdcvs. Cygwin/NT users should instead set:


    in their $HOME/.bashrc and make sure that their CVSROOT starts with :ext:.

    In any case, after adding these to your .login, .profile or .bashrc as appropriate, users should source the file, or log out and log back in.

  • Send your $HOME/.ssh/ file to the adminstrator of the cvs repository you are using, and have them append it to the $HOME/.ssh/authorized_keys file of the cvs repository account.

    Send it as an email attachment, so the very long text line doesn't get broken up at the wrong places.