Using SSH to connect to CVS

Introduction

This document is a guide to setting up access to cvs.mozilla.org using SSH.

This document assumes that you already have a write-access CVS account to cvs.mozilla.org. Anonymous/read-only access via SSH is not available at this time. Please see our source code page for directions accessing read-only CVS, and our getting write access page for directions on obtaining write access.

Generating an SSH key

First, install ssh. Most Linux, BSD, and OSX distributions come with it installed already. Cygwin makes ssh available on Windows if you install the openssh package from the Net category. If all else fails, OpenSSH is a widely used and highly portable implementation. The following command should generate a suitable key pair:

ssh-keygen -t dsa

This will take a moment, followed by a prompt for a passphrase. Once you have entered a passphrase, ssh-keygen will create two files,

~/.ssh/id_dsa

and

~/.ssh/id_dsa.pub

Do not send id_dsa.

Do file a Server Operations bug in Bugzilla and attach your id_dsa.pub to the bug.

Setting up CVS to use SSH

In your system's environment, make sure that CVS_RSH is set to whatever your ssh binary is called; a full path is not necessary if ssh is already in your path.

Replace pserver with ext in your CVSROOT environment variable. If you wish to keep your previous pserver trees, you'll need to update the Root files in each CVS subdirectory in your tree. This can be done using a unix-style find and perl:

find . -name Root -exec perl -p -i -e "s/pserver/ext/" {} \;

Dealing with firewalls

Do not attempt to perform the steps in this section unless you have first verified that you can access cvs.mozilla.org from outside of the firewall. Only proceed with these steps once you are certain you can access cvs.mozilla.org from the open Internet.

If you are behind a firewall with an http tunneling proxy, you can use a program called corkscrew, in combination with the ProxyCommand ssh config directive to continue to access the mozilla CVS server. This technique was taken from Eric Engstrom's site, but the instructions have been re-written specifically for Mozilla.

  1. Download, build, and install corkscrew by following the instructions in the INSTALL file in the corkscrew source distribution. Corkscrew uses the standard "./configure; make install" technique common to many open source projects.
  2. Make sure you have a ~/.ssh/config file that has at least the following directives
PreferredAuthentications hostbased,publickey,password
Host cvs.mozilla.org
  ProxyCommand corkscrew <i>proxyserver.foo.com</i> <i>port</i> %h %p

Replace proxyserver.foo.com with the hostname of your proxy server, and port with the numeric TCP port on which the http tunnel is running.

The usual cvs commands should now work.

Avoiding passphrase requests

You can avoid repeated passphrase requests by using ssh-agent. If you don't already run ssh-agent on your computer, it's probably easiest to start it up whenever you set up your environment to checkout and build Mozilla. Assuming you use a shell script or batch file to set things up, just add the commands below to the end of your file.

POSIX shell

eval `ssh-agent -s`
ssh-add ~/.ssh/id_dsa
$SHELL
ssh-agent -k
exit

X Windows

In "~/.xinitrc" add "ssh-add". This will bring up a graphic box just after login, and before the desktop loads, asking for your passphrase. The passphrase will be held for the length of the x session, and be passed on to all child shells.

MS-DOS command prompt

Cygwin
for /f "tokens=1,2,3* delims=; " %%a in ('ssh-agent -c') do if "%%a"=="setenv" set %%b=%%c
set HOME=/cygdrive/c/path/to/your/cygwin/home/directory
ssh-add ~/.ssh/id_dsa
start /b /wait cmd.exe
ssh-agent -k
exit

Essentially both sets of commands do the same thing. First ssh-agent is called and its output is evaluated in the current environment. This sets environment variables that let cvs know how to find and use the agent. Your private key is then added to ssh-agent using ssh-add at which point you will be prompted for the key's passphrase. Since it's important that you kill the agent when you're finished with it, the last three lines start a child environment that, when exited, will result in the agent's process being killed. The environment you will actually use to build is the child environment.

There are a few things to note about the commands for the MS-DOS Command Prompt. First of all they will only work in versions of Windows based on NT (NT/2000/XP). If you're building on Win9x/WinME you'll need to find an alternative solution. If you're typing the commands directly (as opposed to storing them in a batch file that you call), you'll need to replace the occurances of "%%" in the first line with "%". Finally, note that ssh-add needs the environment variable HOME to be set with the cygwin path to your cygwin home directory.

MozillaBuild

If you're using MozillaBuild, ssh-agent should be started when you run the start-msvc???.bat file. You should be prompted to enter your passphrase.

MozillaBuild 1.2 contains a bug that will stop ssh-agent from automatically starting with MSYS. To fix this, apply this diff to c:\mozilla-build\msys\etc\profile.d\profile-sshagent.sh.

Document Tags and Contributors

 Contributors to this page: teoli, Brycenesbitt, bhearsum, Mgjbot, Nickolay, Edburns@acm.org
 Last updated by: Brycenesbitt,