When using ssh to access repositories on cdcvs, you have pretty much two possibilities,
authenticating with Kerberos, or with public key access. Not configuring this right
tends to get you errors like:
- cvs check_access scripts telling you '"cvsuser" isn't allowed to commit to whatever'
- svn errors like:
sh: -c: line 0: syntax error near unexpected token `(' sh: -c: line 0: `svnserve --tunnel-user (null) -t'
- email hook scripts generating:
File "/usr/lib64/python2.6/UserDict.py", line 22, in __getitem__ raise KeyError(key) KeyError: 'REMOTEUSER' error: hooks/post-receive exited with error code 1
To make sure your ssh client forwards credentials to make our who-is-this-user
scripts and restricted login shell happy, please add:
host cdcvs.fnal.gov ForwardX11 = no GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
and on some newer systems
$HOME/.ssh/configfile and all should be well.
...However if you have problems:
The problem is usually the clock. Check that the UTC time from
Do you have a valid kerberos ticket ?
Do you have an addressless ticket, if working behind a NAT,as is often the case outside Fermilab ?
Look for the A flag in the klist -f output. To get an addressless ticket:
depending on which kinit you have
Are you using an ssh which supports kerberized ssh ?
Are you using /usr/kerberos/bin/kinit, not the JRE or java version ?
You can override the .ssh/config with:
ssh -o "GSSAPIAuthentication yes" -o "GSSAPIDelegateCredentials yes" ...
To debug the connection process, do
and for really full details,
public key access¶
- Make sure ssh is installed on your system. These instructions have been tested with openssh version 3.5, you can check what version you have by running
- If you don't have one, create an ssh key pair, by running:
It will ask you for a passphrase to keep your private key encrypted. Do not use your system password, etc. for this passphrase, rather pick a nice long phrase, but one you can remember. You can change it later with
This will create $HOME/.ssh/id_dsa and $HOME/.ssh/id_dsa.pub, which are your private and public keys, respectively. You should copy these key files (or even your whole .ssh directory) to whatever computer accounts you have, so that you can establish your key authentication from that account. And of course you should keep the id_dsa file readable only by you.
Cygwin/NT users unfortunately currently must have a key with an empty passphrase (until certain Cygwin bugs are either fixed or worked around). They should use a separate key for their NT accounts than their others, and use directory/file permissions to keep the key file as safe as possible.
- If you haven't already, add this to your $HOME/.profile on your UNIX accounts (currently we cannot do this on Cygwin/NT).
CVS_RSH=ssh export CVS_RSH if [ x$SSH_AUTH_SOCK = x ] then echo Doing ssh stuff... eval `ssh-agent` ssh-add fi
and this to your $HOME/.login
setenv CVS_RSH ssh if ( ! $?SSH_AUTH_SOCK ) then echo Doing ssh stuff... eval `ssh-agent -c` ssh-add endif
Finally, you may need, in your $HOME/.ssh/config file:
Host cdcvs.fnal.gov ForwardX11 = no ForwardAgent true
To make sure your ssh-agent connection is forwarded to cdcvs. Cygwin/NT users should instead set:
in their $HOME/.bashrc and make sure that their CVSROOT starts with :ext:.
In any case, after adding these to your .login, .profile or .bashrc as appropriate, users should source the file, or log out and log back in.
- Send your $HOME/.ssh/id_dsa.pub file to the adminstrator of the cvs repository you are using, and have them append it to the $HOME/.ssh/authorized_keys file of the cvs repository account.
Send it as an email attachment, so the very long text line doesn't get broken up at the wrong places.