SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Tue, 31 Jan 2006 11:41:35 +0200, Giorgos Keramidas [EMAIL PROTECTED] said: Giorgos, Thanks very much for replying! I wasn't aware of this environment variable (even though I spent quite a while on this problem). Using CVSUMASK certainly works when working on the server machine! We are currently using a pserver installation, with developers using windows machines. We need a way to achieve the same effect with a user on a windows machine doing an import. Do you have any idea how this can be done? Thank you! I'm not sure. I know that the setting of CVSUMASK on the server machine works if you use SSH tunneling though. If it's not too much trouble, you can set up SSH-based authentication instead of :pserver: and make sure the .bashrc or .cshrc of the developers on the server machine sets CVSUMASK correctly. SSH-tunneled CVS is what the FreeBSD project uses in the official CVS repository, so I guess this setup works as expected :) Giorgos, Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. We are getting a 'Key Refused' error when trying to use public key authentication. I have tried doing several things including editing the /etc/ssh/sshd_config file: PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys We also had to make these changes in order to get password based ssh to work: UsePAM no PermitRootLogin yes We also tried putting the public key into various files: .ssh/authorized_keys .ssh/authorized_keys2 .ssh2/authorized_keys .ssh2/authorized_keys2 (and made sure they are not group/world writable. The keys are SSH2 DSA 1024 bits) I tried looking in the /var/log/auth.log file, and what I'm seeing is: Feb 2 10:19:26 mail1 sshd2[15343]: connection from xxx.xx.xxx.x Feb 2 10:19:26 mail1 sshd2[15344]: WARNING: DNS lookup failed for xxx.xx.xxx.\ x. Feb 2 10:19:29 mail1 sshd2[15344]: Local disconnected: Connection closed. Feb 2 10:19:29 mail1 sshd2[15344]: connection lost: 'Connection closed.' (I set LogLevel DEBUG3 in sshd_config. I don't think the DNS error is relevant, because password based ssh is working. But I could wrong. What do you think?) Do you have any idea where I can look to find out why the key is being refused? Are there any other logfiles other than auth.log that could give a clue to what's going wrong? Thanks! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - A fast, anti-spam email service. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On 2006-02-02 10:30, david bryce [EMAIL PROTECTED] wrote: On Tue, 31 Jan 2006 11:41:35 +0200, Giorgos Keramidas [EMAIL PROTECTED] said: We are currently using a pserver installation, with developers using windows machines. We need a way to achieve the same effect with a user on a windows machine doing an import. Do you have any idea how this can be done? Thank you! I'm not sure. I know that the setting of CVSUMASK on the server machine works if you use SSH tunneling though. If it's not too much trouble, you can set up SSH-based authentication instead of :pserver: and make sure the .bashrc or .cshrc of the developers on the server machine sets CVSUMASK correctly. SSH-tunneled CVS is what the FreeBSD project uses in the official CVS repository, so I guess this setup works as expected :) Giorgos, Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( Perhaps someone else on freebsd-questions can help with Putty? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Thu, 2 Feb 2006 01:48:37 +0200 Giorgos Keramidas [EMAIL PROTECTED] wrote: I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( erhm.. cd /usr/ports/security/putty;make install :-) -- grtjs, albi gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
Try one or more of the following things: - Use puttygen to import your private key, and then export as .ppk - Load your key.ppk into pageant, and let it manage your private key(s) - Log in using your private key from the server (ie. login to the server with your password, and then from the shell ssh [EMAIL PROTECTED]). Please inform me of your results. On 2/2/06, david bryce [EMAIL PROTECTED] wrote: On Tue, 31 Jan 2006 11:41:35 +0200, Giorgos Keramidas [EMAIL PROTECTED] said: Giorgos, Thanks very much for replying! I wasn't aware of this environment variable (even though I spent quite a while on this problem). Using CVSUMASK certainly works when working on the server machine! We are currently using a pserver installation, with developers using windows machines. We need a way to achieve the same effect with a user on a windows machine doing an import. Do you have any idea how this can be done? Thank you! I'm not sure. I know that the setting of CVSUMASK on the server machine works if you use SSH tunneling though. If it's not too much trouble, you can set up SSH-based authentication instead of :pserver: and make sure the .bashrc or .cshrc of the developers on the server machine sets CVSUMASK correctly. SSH-tunneled CVS is what the FreeBSD project uses in the official CVS repository, so I guess this setup works as expected :) Giorgos, Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. We are getting a 'Key Refused' error when trying to use public key authentication. I have tried doing several things including editing the /etc/ssh/sshd_config file: PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys We also had to make these changes in order to get password based ssh to work: UsePAM no PermitRootLogin yes We also tried putting the public key into various files: .ssh/authorized_keys .ssh/authorized_keys2 .ssh2/authorized_keys .ssh2/authorized_keys2 (and made sure they are not group/world writable. The keys are SSH2 DSA 1024 bits) I tried looking in the /var/log/auth.log file, and what I'm seeing is: Feb 2 10:19:26 mail1 sshd2[15343]: connection from xxx.xx.xxx.x Feb 2 10:19:26 mail1 sshd2[15344]: WARNING: DNS lookup failed for xxx.xx.xxx.\ x. Feb 2 10:19:29 mail1 sshd2[15344]: Local disconnected: Connection closed. Feb 2 10:19:29 mail1 sshd2[15344]: connection lost: 'Connection closed.' (I set LogLevel DEBUG3 in sshd_config. I don't think the DNS error is relevant, because password based ssh is working. But I could wrong. What do you think?) Do you have any idea where I can look to find out why the key is being refused? Are there any other logfiles other than auth.log that could give a clue to what's going wrong? Thanks! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - A fast, anti-spam email service. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Thu, 2 Feb 2006 01:48:37 +0200, Giorgos Keramidas Giorgos, Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( Perhaps someone else on freebsd-questions can help with Putty? Thanks, Giorgos! What about on the freebsd server side? Are there any logfiles I can look at on the server? Thanks! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - mmm... Fastmail... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Thu, 2 Feb 2006 01:04:19 +0100, Daniel A. [EMAIL PROTECTED] said: Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. We are getting a 'Key Refused' error when trying to use public key authentication. I have tried doing several things including editing the /etc/ssh/sshd_config file: Try one or more of the following things: - Use puttygen to import your private key, and then export as .ppk - Load your key.ppk into pageant, and let it manage your private key(s) - Log in using your private key from the server (ie. login to the server with your password, and then from the shell ssh [EMAIL PROTECTED]). Please inform me of your results. Daniel, Thank you for taking the time to reply. We are currently using pageant to manage the private key. However, the keys we are using are generated with puttygen (not from the server). The public key was then copied to the authorized_keys file on the server. Would you recommend generating the keys on the server? Do you have an idea where are some instructions about how to generate the keys on the server? Thanks! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - The way an email service should be ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On 2006-02-02 11:27, david bryce [EMAIL PROTECTED] wrote: On Thu, 2 Feb 2006 01:48:37 +0200, Giorgos Keramidas I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( Perhaps someone else on freebsd-questions can help with Putty? What about on the freebsd server side? Are there any logfiles I can look at on the server? Thanks! /var/log/auth.log and /var/log/messages are the ones I'd look at. But I didn't notice anything interesting in the auth.log snippet you posted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Feb 1, 2006, at 4:33 PM, david bryce wrote: On Thu, 2 Feb 2006 01:04:19 +0100, Daniel A. [EMAIL PROTECTED] said: Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. We are getting a 'Key Refused' error when trying to use public key authentication. I have tried doing several things including editing the /etc/ssh/sshd_config file: Try one or more of the following things: - Use puttygen to import your private key, and then export as .ppk - Load your key.ppk into pageant, and let it manage your private key(s) - Log in using your private key from the server (ie. login to the server with your password, and then from the shell ssh [EMAIL PROTECTED]). Please inform me of your results. Daniel, Thank you for taking the time to reply. We are currently using pageant to manage the private key. However, the keys we are using are generated with puttygen (not from the server). The public key was then copied to the authorized_keys file on the server. Would you recommend generating the keys on the server? Do you have an idea where are some instructions about how to generate the keys on the server? Thanks! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - The way an email service should be Can you login using any key in the authorized_keys file? Also, what's the umask for authorized keys (ls -l .ssh/authorized_keys)? -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Thu, Feb 02, 2006 at 11:27:54AM +1100, david bryce wrote: What about on the freebsd server side? Are there any logfiles I can look at on the server? Thanks! I often find it more useful to temporarily run a second sshd on an alternate port, with stderr directed to the console and sshd in no-detach and debug mode. Try the following: $ sshd -d -d -d -e -D -p 222 Then watch the output as you try to connect on that port $ sshd myhost -p 222 If you'd like, you can redirect the output to a file, too, but I find that screen(1)'s scrollback usually is enough for me. -- o--{ Will Maier }--o | jabber:[EMAIL PROTECTED] | email:[EMAIL PROTECTED] | | [EMAIL PROTECTED] | [EMAIL PROTECTED] | *--[ BSD Unix: Live Free or Die ]--* ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On 2006-02-02 00:57, albi [EMAIL PROTECTED] wrote: On Thu, 2 Feb 2006 01:48:37 +0200 Giorgos Keramidas [EMAIL PROTECTED] wrote: I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( erhm.. cd /usr/ports/security/putty;make install :-) Heh! Well, fancy that... That's one of the side-effects of having an SSH client in the base-system, I guess. Thanks to DES, I never needed Putty on FreeBSD so far :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
david bryce wrote: On Thu, 2 Feb 2006 01:04:19 +0100, Daniel A. [EMAIL PROTECTED] said: Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. We are getting a 'Key Refused' error when trying to use public key authentication. I have tried doing several things including editing the /etc/ssh/sshd_config file: Try one or more of the following things: - Use puttygen to import your private key, and then export as .ppk - Load your key.ppk into pageant, and let it manage your private key(s) - Log in using your private key from the server (ie. login to the server with your password, and then from the shell ssh [EMAIL PROTECTED]). Please inform me of your results. Daniel, Thank you for taking the time to reply. We are currently using pageant to manage the private key. However, the keys we are using are generated with puttygen (not from the server). The public key was then copied to the authorized_keys file on the server. Would you recommend generating the keys on the server? Do you have an idea where are some instructions about how to generate the keys on the server? Thanks! Regards, DB Out of curiosity did you use save public key or copy and paste out of the public key for pasting in openssh authorized_keys file box? If I remember correctly, the save public key does not produce an openssh compatible public key. Doing the copy and paste routine should work. HTH, Micah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Feb 1, 2006, at 4:54 PM, Giorgos Keramidas wrote: On 2006-02-02 00:57, albi [EMAIL PROTECTED] wrote: On Thu, 2 Feb 2006 01:48:37 +0200 Giorgos Keramidas [EMAIL PROTECTED] wrote: I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( erhm.. cd /usr/ports/security/putty;make install :-) Heh! Well, fancy that... That's one of the side-effects of having an SSH client in the base-system, I guess. Thanks to DES, I never needed Putty on FreeBSD so far :) Putty's just a nice lightweight GUI ssh client for Windows that was ported to Unix sometime in the past 2 years. -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Thu, 2 Feb 2006 02:38:29 +0200, Giorgos Keramidas [EMAIL PROTECTED] said: On 2006-02-02 11:27, david bryce [EMAIL PROTECTED] wrote: On Thu, 2 Feb 2006 01:48:37 +0200, Giorgos Keramidas I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( Perhaps someone else on freebsd-questions can help with Putty? What about on the freebsd server side? Are there any logfiles I can look at on the server? Thanks! /var/log/auth.log and /var/log/messages are the ones I'd look at. But I didn't notice anything interesting in the auth.log snippet you posted. Thanks, Giorgos! /var/log/messages didn't have anything in it either. You'd think there'd be a way to force sshd to write to the log why it rejected a private key. Thank you! Regards. DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - Access all of your messages and folders wherever you are ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Wed, 01 Feb 2006 16:59:53 -0800, Micah [EMAIL PROTECTED] said: david bryce wrote: We are currently using pageant to manage the private key. However, the keys we are using are generated with puttygen (not from the server). The public key was then copied to the authorized_keys file on the server. Would you recommend generating the keys on the server? Do you have an idea where are some instructions about how to generate the keys on the server? Thanks! Regards, DB Out of curiosity did you use save public key or copy and paste out of the public key for pasting in openssh authorized_keys file box? If I remember correctly, the save public key does not produce an openssh compatible public key. Doing the copy and paste routine should work. HTH, Micah Thanks, Micah! I did use copy and paste out of the public key memo box. Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - Send your email first class ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Wed, 01 Feb 2006 16:59:53 -0800, Micah [EMAIL PROTECTED] said: david bryce wrote: On Thu, 2 Feb 2006 01:04:19 +0100, Daniel A. [EMAIL PROTECTED] said: Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). Out of curiosity did you use save public key or copy and paste out of the public key for pasting in openssh authorized_keys file box? If I remember correctly, the save public key does not produce an openssh compatible public key. Doing the copy and paste routine should work. HTH, Micah Hi All, I must apologize to all, as there seems to be a sshd2 installation on this machine which was muddying the water. Please see the thread titled Attention: Garrett Cooper (Was: SSH with Public Key Authentication). Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
david bryce wrote: On Thu, 2 Feb 2006 02:38:29 +0200, Giorgos Keramidas [EMAIL PROTECTED] said: On 2006-02-02 11:27, david bryce [EMAIL PROTECTED] wrote: On Thu, 2 Feb 2006 01:48:37 +0200, Giorgos Keramidas I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( Perhaps someone else on freebsd-questions can help with Putty? What about on the freebsd server side? Are there any logfiles I can look at on the server? Thanks! /var/log/auth.log and /var/log/messages are the ones I'd look at. But I didn't notice anything interesting in the auth.log snippet you posted. Thanks, Giorgos! /var/log/messages didn't have anything in it either. You'd think there'd be a way to force sshd to write to the log why it rejected a private key. Thank you! You do know that putty generates keys using the preferred SSH2-compatible format of SSH Corp (http://www.ssh.com/) whereas the FreeBSD box you're trying to log into uses the slightly different format from the OpenSSH project (http://www.openssh.org/)? If you generate your keys within putty, then copy the public key onto your FreeBSD box you can convert the format like so: # ssh-keygen -i -f putty.pubkey openssh.pubkey If you examine the two files, you'll see that the differences are that the OpenSSH one doesn't have the 'BEGIN' and 'END' lines, and all of the data is on one single long line. There's also a '-e' option for exporting OpenSSH keys to the SSH2-compatible format. Oh, and to get more logging info out of sshd, run it with 3 '-d' flags on a separate port number: sshd -d -d -d -p That will cause ssh not to daemonize, so it will quit when you end your ssh session. You don't want to run sshd with max debug turned on all the time, as it will potentially leak sensitive information. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions)
On 2006-01-31 14:00, david bryce [EMAIL PROTECTED] wrote: On 2006-01-30 15:52, david bryce davidbryce at fastmail.fm wrote: Hi All, I am having some confusion regarding the way CVS works with permissions under unix when importing a new project. Currently, when I import a project, I get this sort of permissions on the project directory: drwxr-x--- 2 jim cvs 512 Jan 27 12:31 test_proj Notice that the group (cvs) is not granted write access. Is this the way it's supposed to work? That depends on what your `umask' currently is. Do I have to use chmod to grant write access to the group every time I do an import? No. The correct way to fix this is to set CVSUMASK in your shell environment, and then import the files :) Giorgos, Thanks very much for replying! I wasn't aware of this environment variable (even though I spent quite a while on this problem). Using CVSUMASK certainly works when working on the server machine! However, I'm not sure what to do in client/server situations. The CVS manual states: Note that using the client/server CVS (see section Remote repositories), there is no good way to set CVSUMASK; the setting on the client machine has no effect. We are currently using a pserver installation, with developers using windows machines. We need a way to achieve the same effect with a user on a windows machine doing an import. Do you have any idea how this can be done? Thank you! I'm not sure. I know that the setting of CVSUMASK on the server machine works if you use SSH tunneling though. If it's not too much trouble, you can set up SSH-based authentication instead of :pserver: and make sure the .bashrc or .cshrc of the developers on the server machine sets CVSUMASK correctly. SSH-tunneled CVS is what the FreeBSD project uses in the official CVS repository, so I guess this setup works as expected :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I'm stubborn or stupid (and that's not xor) (Was: CVS Import Permissions)
On 2006-01-31 00:44, Duane [EMAIL PROTECTED] wrote: Hi everyone, On the CVS server machine should our CVS repository directory belong to the cvs group, i.e. user==root, group==cvs? It's usually a good idea. And as for the umask, as it appears to be 027, if we give the cvs group write permission on /usr/local/cvsrep then when we import our projects they will be writeable by members of group cvs and the owner of the project, in this case jim. No. This is not how `umask' works. Whatever value `umask' currently has is logically-AND-ed with 0666. This means that by using 027, the result is: $ python print %04o % (066 027) 0026 These are the bits that will be turned *off* for new files (see the umask(2) manpage for details), so to find out which permission bits are allowed, you have to use the reverse mask: print %04o % (0777 ~(066 027)) 0751 The 0751 allowed-bits mask is equivalent to: rwxr-x--x This means that with a umask of 027, you are effectivelly allowing only the bits in ``rwxr-x--x'' to be turned on by default for new files, and this doesn't include write permission for the group. I know that the whole `umask' concept is a bit tricky to grasp, since it depends on knowledge of numbering with an octal-base *AND* it works in the reverse order of that people usually think it does, but hopefully, with the help of our excellent manpages and a bit of experimentation, it will become more obvious :) I apologize if I am being all the things suggested in my subject heading. Nah! Never apologize for a question. There is no such thing as a stupid question for this list (well, unless the question refers to Windows, of course :P). - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I'm stubborn or stupid (and that's not xor) (Was: CVS Import Permissions)
Giorgos Keramidas wrote: On 2006-01-31 00:44, Duane [EMAIL PROTECTED] wrote: Hi everyone, On the CVS server machine should our CVS repository directory belong to the cvs group, i.e. user==root, group==cvs? It's usually a good idea. And as for the umask, as it appears to be 027, if we give the cvs group write permission on /usr/local/cvsrep then when we import our projects they will be writeable by members of group cvs and the owner of the project, in this case jim. No. This is not how `umask' works. Whatever value `umask' currently has is logically-AND-ed with 0666. This means that by using 027, the result is: $ python print %04o % (066 027) 0026 These are the bits that will be turned *off* for new files (see the umask(2) manpage for details), so to find out which permission bits are allowed, you have to use the reverse mask: print %04o % (0777 ~(066 027)) 0751 The 0751 allowed-bits mask is equivalent to: rwxr-x--x This means that with a umask of 027, you are effectivelly allowing only the bits in ``rwxr-x--x'' to be turned on by default for new files, and this doesn't include write permission for the group. I know that the whole `umask' concept is a bit tricky to grasp, since it depends on knowledge of numbering with an octal-base *AND* it works in the reverse order of that people usually think it does, but hopefully, with the help of our excellent manpages and a bit of experimentation, it will become more obvious :) I apologize if I am being all the things suggested in my subject heading. Nah! Never apologize for a question. There is no such thing as a stupid question for this list (well, unless the question refers to Windows, of course :P). - Giorgos __ Thanks Giorgos. That's an excellent explanation on computing the allowed bits. One of my mistakes was logically-AND-ing with 0777. Sincerely --Duane ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: CVS Import Permissions
On 2006-01-30 15:52, david bryce [EMAIL PROTECTED] wrote: Hi All, I am having some confusion regarding the way CVS works with permissions under unix when importing a new project. Currently, when I import a project, I get this sort of permissions on the project directory: drwxr-x--- 2 jim cvs 512 Jan 27 12:31 test_proj Notice that the group (cvs) is not granted write access. Is this the way it's supposed to work? That depends on what your `umask' currently is. Do I have to use chmod to grant write access to the group every time I do an import? No. The correct way to fix this is to set CVSUMASK in your shell environment, and then import the files :) Of course, now that the import is done, you can still use a bit of ``repository hackery'' to set the g+w bit for the checked in sources. Or is my CVS not configured correctly? Your cvs is fine. The default umask is 022, which strips off g+w permissions from all newly created files; including the ones CVS creates in the repository. If I don't grant write access to the group on that directory, every check in fails with a could not open lock file `/usr/local/cvs/test_proj/,test.txt,': Permission denied. I tried setting the LockDir in the config file to a world-writable directory, but this doesn't seem to solve the problem when trying to check-in. The RCS files inside `/usr/local/cvs/test_proj' have no group-write permission. You can fix this by something like this: $ cd $CVSROOT $ find . -print0 | xargs -0 chmod g+w This is the sort of ``repository hackery'' I mentioned above. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: CVS Import Permissions
Giorgos Keramidas wrote: On 2006-01-30 15:52, david bryce [EMAIL PROTECTED] wrote: Hi All, I am having some confusion regarding the way CVS works with permissions under unix when importing a new project. Currently, when I import a project, I get this sort of permissions on the project directory: drwxr-x--- 2 jim cvs 512 Jan 27 12:31 test_proj Notice that the group (cvs) is not granted write access. Is this the way it's supposed to work? That depends on what your `umask' currently is. Do I have to use chmod to grant write access to the group every time I do an import? No. The correct way to fix this is to set CVSUMASK in your shell environment, and then import the files :) Of course, now that the import is done, you can still use a bit of ``repository hackery'' to set the g+w bit for the checked in sources. Or is my CVS not configured correctly? Your cvs is fine. The default umask is 022, which strips off g+w permissions from all newly created files; including the ones CVS creates in the repository. If I don't grant write access to the group on that directory, every check in fails with a could not open lock file `/usr/local/cvs/test_proj/,test.txt,': Permission denied. I tried setting the LockDir in the config file to a world-writable directory, but this doesn't seem to solve the problem when trying to check-in. The RCS files inside `/usr/local/cvs/test_proj' have no group-write permission. You can fix this by something like this: $ cd $CVSROOT $ find . -print0 | xargs -0 chmod g+w This is the sort of ``repository hackery'' I mentioned above. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Hi everyone, I'm new to taking into consideration the wider security issues of system administration. I apologize for this long post but maybe the answer can save me and others from future pain. What I'm not sure I understand is why would we not want to grant write access to the cvs group? According to the instructions I've read that is CVS's basic requirement, i.e. having write access to the repository. When I set up a repository without this write access the import failed for me as well. One assumption I am making is that it is better to have one group with write permission than explicit write permission given to many different users. So here is how I set up my repository, starting as root #cd /usr/local #mkdir cvsrep #chgrp cvs cvsrep #chmod g+w cvsrep #cvs -d /usr/local/cvsrep init #ll drwxrwxr_x 2 root cvs 512Jan 30 10:25 cvsrep #ll cvsrep drwxrwxr-x 3 root cvs 1024 Jan 30 10:26 CVSROOT duane$ cvs -d /usr/local/cvsrep import -m blah blah blah testproj duane start duane$ ll /usr/local/cvsrep drwxrwxr-x 3 root cvs 1024 Jan 30 10:26 CVSROOT drwxrwxr-x 5duane cvs 512 Jan 30 10:32 testproj john$cvs -d /usr/local/cvsrep co testproj {typical checkout stuff: alls good} john$ll -rw-rw-r-- 1 john john 62 Jan 30 10:40 proj.c john: /usr/home/john/testproj$ cvs -d /usr/local/cvsrep update {typical update stuff, no conflicts, all's good} john$ ll /usr/local/cvsrep drwxrwxr_x 5 duane cvs 512 Jan 30 10:26 testproj john$ ll /usr/local/cvsrep/testproj ... ... . . . -r--r--r-- 1 duane cvs 482 Jan 30 10:55 proj.c,v Now I don't want to make any assumptions about whether this infrastructure is safe or not. That's why I'm asking the question. Everything seems to work but am I leaving myself open to any known security problems? Sorry for the length of this long post. If I should have posted this differently please let me know. Sincere Thanks --Duane Whitty [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Attention: Giorgos Keramidas (Was: CVS Import Permissions)
n 2006-01-30 15:52, david bryce davidbryce at fastmail.fm wrote: Hi All, I am having some confusion regarding the way CVS works with permissions under unix when importing a new project. Currently, when I import a project, I get this sort of permissions on the project directory: drwxr-x--- 2 jim cvs 512 Jan 27 12:31 test_proj Notice that the group (cvs) is not granted write access. Is this the way it's supposed to work? That depends on what your `umask' currently is. Do I have to use chmod to grant write access to the group every time I do an import? No. The correct way to fix this is to set CVSUMASK in your shell environment, and then import the files :) Giorgos, Thanks very much for replying! I wasn't aware of this environment variable (even though I spent quite a while on this problem). Using CVSUMASK certainly works when working on the server machine! However, I'm not sure what to do in client/server situations. The CVS manual states: Note that using the client/server CVS (see section Remote repositories), there is no good way to set CVSUMASK; the setting on the client machine has no effect. We are currently using a pserver installation, with developers using windows machines. We need a way to achieve the same effect with a user on a windows machine doing an import. Do you have any idea how this can be done? Thank you! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - Choose from over 50 domains or use your own ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
I'm stubborn or stupid (and that's not xor) (Was: CVS Import Permissions)
david bryce wrote: n 2006-01-30 15:52, david bryce davidbryce at fastmail.fm wrote: Hi All, I am having some confusion regarding the way CVS works with permissions under unix when importing a new project. Currently, when I import a project, I get this sort of permissions on the project directory: drwxr-x--- 2 jim cvs 512 Jan 27 12:31 test_proj Notice that the group (cvs) is not granted write access. Is this the way it's supposed to work? That depends on what your `umask' currently is. Do I have to use chmod to grant write access to the group every time I do an import? No. The correct way to fix this is to set CVSUMASK in your shell environment, and then import the files :) Giorgos, Thanks very much for replying! I wasn't aware of this environment variable (even though I spent quite a while on this problem). Using CVSUMASK certainly works when working on the server machine! However, I'm not sure what to do in client/server situations. The CVS manual states: Note that using the client/server CVS (see section Remote repositories), there is no good way to set CVSUMASK; the setting on the client machine has no effect. We are currently using a pserver installation, with developers using windows machines. We need a way to achieve the same effect with a user on a windows machine doing an import. Do you have any idea how this can be done? Thank you! Regards, DB Hi everyone, On the CVS server machine should our CVS repository directory belong to the cvs group, i.e. user==root, group==cvs? And as for the umask, as it appears to be 027, if we give the cvs group write permission on /usr/local/cvsrep then when we import our projects they will be writeable by members of group cvs and the owner of the project, in this case jim. CVS gives all the source files under test_proj permissions -r--r--r-- regardless of the umask. So since this is an existing repository maybe there is extra work. What is the biggest factor, the number of distinct projects in the repository? But as a start why not do a chgrp cvs cvsrep; chmod g+w cvsrep. In a new repository this would make sure all permissions started off correctly. Unfortunately real life is never that simple. Is this not how CVS would like it? I apologize if I am being all the things suggested in my subject heading. I've posted these opinions a couple of times without response. Perhaps they are inappropriate to the list or irrelevant to David's situation, or maybe just wrong? I'll let it drop after this. I certainly don't mean to muddy the waters but to me this is what this list is all about and I believe this issue goes to the heart of UN*X administration. Sincerely, --Duane Whitty ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
CVS Import Permissions
Hi All, I am having some confusion regarding the way CVS works with permissions under unix when importing a new project. Currently, when I import a project, I get this sort of permissions on the project directory: drwxr-x--- 2 jim cvs 512 Jan 27 12:31 test_proj Notice that the group (cvs) is not granted write access. Is this the way it's supposed to work? Do I have to use chmod to grant write access to the group every time I do an import? Or is my CVS not configured correctly? If I don't grant write access to the group on that directory, every check in fails with a could not open lock file `/usr/local/cvs/test_proj/,test.txt,': Permission denied. I tried setting the LockDir in the config file to a world-writable directory, but this doesn't seem to solve the problem when trying to check-in. Thank you! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - mmm... Fastmail... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: CVS Import Permissions
david bryce wrote: Hi All, I am having some confusion regarding the way CVS works with permissions under unix when importing a new project. Currently, when I import a project, I get this sort of permissions on the project directory: drwxr-x--- 2 jim cvs 512 Jan 27 12:31 test_proj Notice that the group (cvs) is not granted write access. Is this the way it's supposed to work? Do I have to use chmod to grant write access to the group every time I do an import? Or is my CVS not configured correctly? If I don't grant write access to the group on that directory, every check in fails with a could not open lock file `/usr/local/cvs/test_proj/,test.txt,': Permission denied. I tried setting the LockDir in the config file to a world-writable directory, but this doesn't seem to solve the problem when trying to check-in. Thank you! Regards, DB Hi, I highly recommend the following book. It is available for viewing online or as a downloadble PDF http://cvsbook.red-bean.com/ Best Regards, --Duane Whitty --- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
CVS Import Permissions
david bryce wrote: I am having some confusion regarding the way CVS works with permissions under unix when importing a new project. Currently, when I import a project, I get this sort of permissions on the project directory: drwxr-x--- 2 jim cvs 512 Jan 27 12:31 test_proj Hi, I highly recommend the following book. It is available for viewing online or as a downloadble PDF http://cvsbook.red-bean.com/ Best Regards, --Duane Whitty --- duane at greenmeadow.ca Thanks, Duane. I have already read this excellent book, but couldn't find any clues there pertaining directly to this question. Thanks! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - A no graphics, no pop-ups email service ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]