![[important]](/images/small_star.png)
's. Also the setup is different for different versions of Windows, so pay attention in each section for specific instructions. Finally, at the end there are a set tests that you can try after each step to make sure that it succeeded.
Contents:
CVS and SSH are products that are fairly widely known in the UNIX world, but that Windows users might be less familiar with. The intended audience for this document is people that have little to no experience with CVS or SSH and it includes short explanations of many of the basic concepts. If you are already familiar, simply uninterested, or in a hurry you can safely skip everything except for the parts marked with 's. Also the setup is different for different versions of Windows, so pay attention in each section for specific instructions. Finally, at the end there are a set tests that you can try after each step to make sure that it succeeded.
This setup will work with any version of Windows, however there are issues that you should be aware of:
Concurrent Versions System (CVS) is a method of "version control"; that is tracking changes to computer files over time and allowing access to the different versions that have been created. CVS is commonly used for managing the development of source code, but is finding its place in other realms as well. Unlike its predecessor Revision Control System (RCS) CVS allows multiple people to work on a project at a time as well as maintaining information about files in a directory structure (whereas RCS tracks changes solely on a per file basis.) Secure Shell (SSH) is a method of accessing a computer remotely. Unlike its predecessors Remote Shell (RSH) and Telnet all of the information passing between the computers is encrypted so that eavesdroppers cannot listen in.
One of the benefits of CVS is that the files can be stored in a central repository and people wishing to access it can connect to the central server and download a copy to their computer that they can change and then commit their changes back to the main repository. This collaboration can be done within a company network by a few people or it can be done by tens or hundreds of people working around the globe. As the distances that the information travels grows greater security becomes a greater concern. For this reason CVS has the ability to run over SSH. This protects the information stored in CVS and just as importantly it protects the passwords of the people accessing the repository.
This is a document describing how to access secure CVS repositories on computers running SSH using WinCVS and Cygwin. It is based on an earlier document by Frank Murphy with updates for WinCVS version 1.2, specific issues with different versions of Windows, and bug fixes that now allow WinCVS to work with OpenSSH and SSH2.
This document assumes:
cvshost.mydomain.comjoeuser and the password passcvshost.mydomain.com is called /home/cvs. Every CVS repository has a root and if you do not know what yours is then you need to check with your administrator and find out. It is very likely not /home/cvs./home/cvs contains a module named myproject that you are allowed to accessThe software used in writing and testing this document is: (If you have any trouble try upgrading to the latest versions. WinCVS will not work before version 1.2, OpenSSH will not work in Windows NT/2000 before 2.9p2 (p1 doesn't work.)
The server being connected to is running:
WinCVS is a Windows CVS client. The latest version can be downloaded from http://WinCVS.org/download.html. Getting the latest version is highly recommended. Just run the program setup.exe in the downloaded files and follow the instructions.
Windows does not have a SSH client by default. There are a variety available, however most are either not correctly suited for use with CVS or they cost money. The version that is being used in this setup is provided by a group called OpenSSH and it is a free implementation. It is not written for Windows however and in order for it to function correctly a library called Cygwin is necessary. Cygwin allows for programs written for UNIX to run on Windows computers. Cygwin is installed by a program that not only installs the library to allow UNIX programs to run, it also installs a set of UNIX programs that have been altered so as to work correctly with the library. The program that you run allows you to choose the programs that you want to install and where you want to install them from and it then downloads them and installs them.
Get the Cygwin installer from http://www.cygwin.com/setup.exe or a copy is available here. The list of packages offered is fairly extensive, but the only ones that you need to install are Cygwin, OpenSSH, OpenSSL (used by OpenSSH to encrypt connection), ZLib (used by OpenSSH to compress connection), and bash (which manages your home directory.) Also for certain tests I will use the Cygwin version of CVS and it also needs GDBM for certain data access functions. If you are certain you will get it right the first time and will not need to do any testing you can skip CVS and GDBM, but I recommend installing them.
Install the programs wherever you want, but hereafter I will treat it as though everything was installed in c:\cygwin. If you use a different directory then simply substitute the directory you used for c:\cygwin.
When installing you will get a long list of available packages. There is no way that I am aware of to unselect all of them other than to go down the New column and click once on each of the version numbers to change it to Skip. Also, when choosing a site to install from it is often better to use a site that is available via HTTP. HTTP allows for multiple files to be transferred over a single connection, whereas FTP requires a new connection for each file and so FTP servers are often more busy and more difficult to connect to. Also HTTP (web) servers usually do not have limits to the number of users in the way that FTP servers do.
You now have all of the necessary software installed. It is now a matter of getting it all to work together. The first step is making it so that WinCVS can find the SSH program to run it. This is done by adding the directory that SSH is in to the set of directories that Windows searches through to find programs. This list of directories is called the path and it is controlled by an environment variable called PATH.
Add the directory where Cygwin stores its programs (C:\cygwin\bin) to your path.
c:\autoexec.batSET PATH=%PATH%;C:\cygwin\bin;Control PanelSystem propertiesEnvironment tabpath entry in the System Variables list;C:\cygwin\bin; to the endSetControl PanelSystem propertiesAdvanced tabEnvironment Variablespath entry in the System Variables listEdit;C:\cygwin\bin; to the endOKIn order for your changes to take affect in Windows 95/98 you will have to restart. Changes should take affect immediately in NT or 2000.
SSH uses public key cryptography in setting up a session. The computer you are connecting to has a public key that it gives to anyone it wants to communicate with. That party it is communicating with can then use that key to encrypt anything it wants using that public key and send securely back to the server. Information encoded with the public key can't be decoded again with the public key, it can only be decoded using the matching private key that the server keeps as a secret. Your computer gets the public key of the computer you are connecting to and then uses that to send back a symmetric key that is then used for symmetric key cryptography where both parties are using the same key. Symmetric key cryptography is faster the public key cryptography but it takes both parties knowing the key.
The symmetric key is generated randomly for each SSH session, but the private/public key combination that the server uses should always be the same. Your SSH programs remembers the server's public key and will tell you if it ever changes. If you are ever notified that a server's public key is not recognized (other than the first time you connect) you should contact the administrator for that machine and ask if they reinstalled SSH or for any reason regenerated the keys. The keys should not change for reasons other than that and if they do then it could mean that someone is listening in on your connection.
SSH needs a place to store the public keys that it gets from different servers. It uses a directory .ssh relative to your home directory to store them. Users on a UNIX system generally have a home directory where all of their personal files and settings are stored. SSH expects your home to be in c:\cygwin\home\joewinuser and if that directory does not exist it will warn you every time that you connect that it does not recognize the computer that you are connecting to.
Your home directory is expected to be relative to c:\cygwin so you need to create the appropriate structure. Installing bash with Cygwin should have created the structure, but it is wise to check that it exists.
C:\cygwin\ create a directory named homeC:\cygwin\home\ create a directory named the same as your Windows username. (If you installed bash with Cygwin this has already been done)C:\cygwin\home\joewinuser\ create a directory named .sshBecause these stored keys are an essential part of how computers using SSH communicate it is important to keep this information protected. Even if you are not going to set up key based access (allowing you to login without a password) you should read the information about key security in the Key Based Access section.
The CVS root tells WinCVS where to look when checking out and creating modules. All that is necessary is to set your CVS root so that it points to the appropriate place on the server hosting the repository. Also you need to tell CVS to use SSH.
This setup is fairly simple:
AdminPreferencesCVSROOT to joeuser@cvshost.mydomain.com:/home/cvsAuthentication to SSH ServerOKSSH can authenticate connections in a variety of ways. The simplest is to type in a password, but it also possible to have a pre-established matching set of keys that let a connecting program authenticate itself. With this setup it is not necessary for the user to enter a password repeatedly which can be useful if you are frequently accessing the CVS server. This covers creating a public/private key pair and then putting the public key on the server.
There are two main versions of SSH that are not compatible with each other. SSH2 is a more robust protocol and deals with several issues that SSH1 had. SSH2 is not available everywhere though. To tell which version you are using look in the directory C:\cygwin\home\joewinuser\.ssh (SSH's data directory.) Assuming that you have logged in at least once already then SSH will have saved the public key of the server that you connected to. If that file is named known_hosts then you are using SSH1. If the file is called known_hosts2 then you are using SSH2. If both files exist then you will have to look at their contents and see which one has a line beginning with cvshost.mydomain.com.
The key generation differs based on the version of SSH. Both will require you to start a command prompt and switch to the directory C:\cygwin\home\joewinuser\.ssh. From there you are going to run the command ssh-keygen and when it asks you for a passphrase you will just hit Enter. If you use a passphrase then it will have to be entered any time you connect so there isn't really much of an improvement.
This process is described as a set of commands to be entered at the command prompt in the Cygwin Bash Shell. You should have installed bash along with SSH as a part of the Cygwin installation. Each step will have specific instructions for the SSH version that you are using. Options where the command is the same use the form SSH1/2:
cd ~/.sshThis will change your working directory to SSH's data directory.
ssh-keygen -C email_addressssh-keygen -C email_address -t rsaThis will generate a public/private key file pair.
(The file with the .pub extension is the public key and the other the private.) You now need to get the public key over to cvshost.mydomain.com. You will do this will the Secure Copy (scp) command:
scp identity.pub joeuser@cvshost.mydomain.com:scp id_rsa.pub joeuser@cvshost.mydomain.com:Now you need to connect to cvshost.mydomain.com. You can do this using SSH using the command:
ssh -l joeuser cvshost.mydomain.comOnce you are connected you should see the public key in your home directory. You now need to add it to the list of keys that you have authorized for key based access. This data should be stored in a directory called .ssh and if it doesn't exist then you can create it:
mkdir .sshThen to add the public key that you copied over to the list of allowed keys:
cat identity.pub >> .ssh/authorized_keyscat id_rsa.pub >> .ssh/authorized_keys2You should then remove the public key with the command:
rm identity.pubrm id_rsa.pubYou should also make sure that you are the only person that can access the list of authorized keys with the command:
chmod -R og= .ssh.You should now be able to disconnect from cvshost.mydomain.com and reconnect without being prompted for a password.
It is very important to restrict access to c:\cygwin\home\joewinuser\.ssh on the computer where you are running WinCVS. This directory now contains your private key that will allow anyone having it to connect from anywhere without being prompted for a password. Even if you did not create a private key there are other keys used by SSH stored there and if a person is able to modify them it leaves you open to a variety of attacks. It is very important to try to protect this information. A cracker could easily use it to read through any of your files or mail and it could be someone's first step to breaking into more sensitive computers on your network.
Windows NT and 2000 allow you can change the security permissions so that you are the only person who is allowed to access a certain directory. You should access the security permissions on c:\cygwin\home\joewinuser\.ssh and remove all access for the Everyone group and add only access for yourself.
Windows 95/98 was not created with security in mind and there is no way to restrict access to particular files in any way. If you are sharing this computer with people that you do not trust or if it is publicly accessible then you should consider discussing alternate possibilities with your administrator before setting up key based usage. If you are not using key based access then it is not a very serious risk, but if you do have your own private key then you are creating a serious security risk by storing it on your computer.
In addition to protecting your private key you can also restrict how the server will let it be used by adding options to the authorized_keys file on the server. Possible options include:
from="pattern-list": where the pattern list is hosts that are allowed to use the key. For instance if you are on mydomain.com you could put from="*.mydomain.com" and if someone from otherdomain.com stole your key and tried to use it they would be rejected. If you only plan on using WinCVS from one place then you can put that specific machine name or IP address in.command="/usr/bin/cvs server": this will allow the connecting computer to run only the cvs server command when authenticating using the private key.no-port-forwarding: this keeps the key from being used to forward information from one computer to another.no-X11-forwarding: this keeps the key from being used to access the X-Windows system remotely.no-agent-forwarding: this keeps the key from being used in authentication agent forwarding.no-pty: this keeps the connection which starts the connection from being given access to a terminal. This can safely be done and WinCVS will still work.The line that I recommend that you enter before key all on one line is:
from="*.mydomain.com",command="/usr/bin/cvs server",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-ptyIf you are using SSH for other purposes then this might be too restrictive for you, but if it you are only using CVS then this should not hinder your usage any and it will minimize the risk that you suffer from if your private key were ever stolen.
This is a set of tests that you can do at different points in the setup to make sure that everything is configured correctly. They are incremental, so if you are stuck then you should be able to progress from the beginning to the point where the breakdown occurred.
cvshost.mydomain.com exits and you can connect to it via SSH using the username joeuser and the password pass.
C:\cygwin\bin\ssh -l joeuser cvshost.mydomain.comcvshost.mydomain.com there is a CVS repository in /home/cvs with a module that you are allowed to access called myproject.
cvs -d /home/cvs checkout myprojectset CVS_RSH=sshc:\cygwin\bin\cvs -d :ext:joeuser@cvshost.mydomain.com:/home/cvs checkout myprojectC:\cygwin\bin should now be listed in you path. To see the contents of you path, at a command prompt type:
echo %PATH%C:\cygwin\bin should be in the list. This should allow you to run any of the programs in C:\cygwin\bin from anywhere. To test this, at the command prompt in some directory other than C:\cygwin\bin, run:
ssh -l joeuser cvshost.mydomain.comIf you are running Windows NT or 2000 you will need to set up key based access before attempting this section.
Create from the main menuCheckout Module from the Create menumyprojectOKcvshost.mydomain.com using this SSH program then it will tell you that it does not recognize the public key from cvshost.mydomain.com and ask if you want to accept it. Type yes. (If you get this message repeatedly then you have likely not set your home directory correctly.)cvshost.mydomain.com. Type in your pass and press Enter.The module should now be checked out to you. You can make changes to the files and right click on them and select Commit Selection and have your changes committed. For more extensive information on the use of CVS see http://www.cvshome.org and http://www.wincvs.org.
Copyright (c) 2001 Will Holcomb
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.1
or any later version published by the Free Software Foundation.
