Re: Passwordless logins, .shosts for Windows CVS clients with Cygwin

From: Richard E. Silverman (res_at_qoxp.net)
Date: 12/24/03


Date: 24 Dec 2003 00:21:31 -0500


>>>>> "NKG" == Nico Kadel-Garcia <nkadel@comcast.net> writes:

    NKG> At my suggestion, he's been encouraging users to switch to using
    NKG> "CVS_RSH=/usr/bin/ssh" in CygWin windows.

Just a note: you may find performance a problem. This setup requires a
new SSH connection with every CVS command, which can be unacceptably slow
depending on the hardware involved, SSH configuration, frequency of CVS
commands used, etc.

It really shouldn't be this way -- ideally, you'd make one SSH connection
and then just get new channels as needed for various commands.
Unfortunately, the only command-line SSH implementation I know of that
does this in a fashion suitable for normal Unix use is lsh, which is just
not ready for regular use.

An alternative is to use port forwarding together with a restriced CVS
pserver, but this can be a bit awkward.

A more attractive alternative is kerberized CVS, but that requires more
infrastructure.

    NKG> Which is fine, but getting them to use "ssh-agent" to store an
    NKG> SSH key is something they don't like to do: they want to open a
    NKG> CygWin window or command window and just have it Work(tm).

    NKG> So I'm looking at setting up .shosts,

I assume you mean you want to use hostbased authentication.

    NKG> but am having some grief. Does anyone have a working
    NKG> "sshd_config" for OpenSSH 3.7.1p2 that allows .shosts use?

Well, the sshd_config part is easy: "hostbasedauthentication yes". The
trickier parts are getting all of /etc/shosts.equiv, ~/.shosts, the
known_hosts files, host keys, and naming service (DNS, NIS, etc.) all in
sync to allow it to work. Take a look at:

http://www.snailbook.com/faq/trusted-host-howto.auto.html

Also, refer to the relevant parts of the snail book. Post specifics if
things aren't working.

-- 
  Richard Silverman
  res@qoxp.net