CVS SSH on Linux and Windows... Again!

Ok, maybe I'm missing the point and someone can enlighten me.

I've noticed that on both Linux (with Open SSH) and Windows (with Plink), I
am always required to add my keys to the agent (windows) or ssh-add (Linux)
before I can automatically connect to a remote ssh cvs server (sourceforge
in my case). If I don't use the agent or do a ssh-add, then I'm always
asked for the password.

Am I missing something here? What the heck are we specifying the location
and name of the private key file, if we need to reply on those 2 other tools
to get us going in the right direction? It seems like the private key file
is just useless.

Can someone explain? Is there more to come feature wise which will resolve
all this? To me if I'm using the private key, I'm assuming IDEA is going to
take care of submitting that. If my private key has a password, I expect
IDEA to ask me for the password once per IDEA session, and then cache it. I
would like to see a timeout for the key actually added, but that's another
story.

Did I hit a bug, or is this how it's intended to behave?

Thanks
R


6 comments
Comment actions Permalink

Robert S. Sfeir wrote:

Ok, maybe I'm missing the point and someone can enlighten me.

I've noticed that on both Linux (with Open SSH) and Windows (with Plink), I
am always required to add my keys to the agent (windows) or ssh-add (Linux)
before I can automatically connect to a remote ssh cvs server (sourceforge
in my case). If I don't use the agent or do a ssh-add, then I'm always
asked for the password.


This is the way ssh works. It's supposedly for security reasons. One way
to get around this is to create a private/public key pair that has no
password. That is dangerous though ;)

Am I missing something here? What the heck are we specifying the location
and name of the private key file, if we need to reply on those 2 other tools
to get us going in the right direction? It seems like the private key file
is just useless.


ssh-agent/pagent maintains a list of private keys that you are going to
use often and it caches the passwords for you. When you actually make a
connection to an ssh server, you have to tell ssh which private key you
want to use, hence the option in IDEA CVS options.

Can someone explain? Is there more to come feature wise which will resolve
all this? To me if I'm using the private key, I'm assuming IDEA is going to
take care of submitting that. If my private key has a password, I expect
IDEA to ask me for the password once per IDEA session, and then cache it. I
would like to see a timeout for the key actually added, but that's another
story.


The problem with the password thing is that IDEA would have to parse
stdout/stderr of the ssh tool in order to find out when it should
provide the password. That's heuristic and prone to error from changes
in the underlying ssh tool and it may not even be possible with some
tools (plink perhaps?). It's better to use the standard key/password
caching tool provided by the ssh package that you're using.

Ciao,
Gordon

--
Gordon Tyler (Software Developer)
Quest Software <http://java.quest.com/>
260 King Street East, Toronto, Ontario M5A 4L5, Canada
Voice: 416-643-4846 | Fax: 416-594-1919

0
Comment actions Permalink

That's my point though, Gordon, I HAVE no password on my identity file, so
why should I have to load things in the agent? What's the point of the
private key specification in IDEA if it's got to be specified elsewhere?

Also on the password part, you can almost always pass the password from the
command line if you want with the whole connection string, so why not have a
password field (encrypted of course) in idea which passes the info along
with it. It would be our job to know that hey there's a password on this,
so here is the password as part of it, submit it and we're done. If there
is no password, then there shouldn't be a need for anything at all.

Dunno, it's just annoying. maybe I need to get used to it more.

R

"Gordon Tyler" <gordon.tyler@quest.com> wrote in message
news:bats3i$e4e$1@is.intellij.net...

Robert S. Sfeir wrote:

Ok, maybe I'm missing the point and someone can enlighten me.

>

I've noticed that on both Linux (with Open SSH) and Windows (with

Plink), I

am always required to add my keys to the agent (windows) or ssh-add

(Linux)

before I can automatically connect to a remote ssh cvs server

(sourceforge

in my case). If I don't use the agent or do a ssh-add, then I'm always
asked for the password.

>

This is the way ssh works. It's supposedly for security reasons. One way
to get around this is to create a private/public key pair that has no
password. That is dangerous though ;)

>

Am I missing something here? What the heck are we specifying the

location

and name of the private key file, if we need to reply on those 2 other

tools

to get us going in the right direction? It seems like the private key

file

is just useless.

>

ssh-agent/pagent maintains a list of private keys that you are going to
use often and it caches the passwords for you. When you actually make a
connection to an ssh server, you have to tell ssh which private key you
want to use, hence the option in IDEA CVS options.

>

Can someone explain? Is there more to come feature wise which will

resolve

all this? To me if I'm using the private key, I'm assuming IDEA is

going to

take care of submitting that. If my private key has a password, I

expect

IDEA to ask me for the password once per IDEA session, and then cache

it. I

would like to see a timeout for the key actually added, but that's

another

story.

>

The problem with the password thing is that IDEA would have to parse
stdout/stderr of the ssh tool in order to find out when it should
provide the password. That's heuristic and prone to error from changes
in the underlying ssh tool and it may not even be possible with some
tools (plink perhaps?). It's better to use the standard key/password
caching tool provided by the ssh package that you're using.

>

Ciao,
Gordon

>

--
Gordon Tyler (Software Developer)
Quest Software <http://java.quest.com/>
260 King Street East, Toronto, Ontario M5A 4L5, Canada
Voice: 416-643-4846 | Fax: 416-594-1919

>


0
Comment actions Permalink

Robert S. Sfeir wrote:

That's my point though, Gordon, I HAVE no password on my identity file, so
why should I have to load things in the agent? What's the point of the
private key specification in IDEA if it's got to be specified elsewhere?


That's what thought as well. And you say this isn't the case? I haven't
used the CVS over SSH settings in IDEA so I don't actually know what
IDEA does in this case.

Also on the password part, you can almost always pass the password from the
command line if you want with the whole connection string, so why not have a


You can't do that with ssh (ssh on cygwin, probably OpenSSH and
derivatives). It doesn't take the password on the command line as far as
I can tell. Allowing that would mean the password is floating around
unencrypted in memory which would make some very paranoid people sweat
;) Plink does appear to take the password on the command line though.

Ciao,
Gordon

--
Gordon Tyler (Software Developer)
Quest Software <http://java.quest.com/>
260 King Street East, Toronto, Ontario M5A 4L5, Canada
Voice: 416-643-4846 | Fax: 416-594-1919

0
Comment actions Permalink

Ok I just checked to make sure, I have no password on my identity file, and I can log into shell.sourceforge.net from the command line without entering anything, so I am getting authenticated properly.

If I do it in IDEA then it constantly asks me for a password. If it's asking me for a password once, why the world can it not remember and cache it and just use it? If there are 5 modules at the root of cvs, I have to enter that password 5 times! Pain in the butt.

Also you are correct, it looks like plink lets you enter a password, but not ssh.

So I guess part of this is a bug. I should file it as such.

R

0
Comment actions Permalink

Hi, Robert!
I tested external connection on Windows with plink and I was asked for
password only when I used no ppk file.
Could you execute plink from command line?
plink.exe HOST_NAME -l USER_NAME -i PATH_TO_PPK_FILE "echo $PATH"
Was the command completed successfully?

--
Best regards,
Olesya Smirnova
JetBrains, Inc / IntelliJ Software
http://www.intellij.com
"Develop with pleasure!"


"Robert S. Sfeir" <robert@codepuccino.com> wrote in message
news:batgql$qil$1@is.intellij.net...

Ok, maybe I'm missing the point and someone can enlighten me.

>

I've noticed that on both Linux (with Open SSH) and Windows (with Plink),

I

am always required to add my keys to the agent (windows) or ssh-add

(Linux)

before I can automatically connect to a remote ssh cvs server (sourceforge
in my case). If I don't use the agent or do a ssh-add, then I'm always
asked for the password.

>

Am I missing something here? What the heck are we specifying the location
and name of the private key file, if we need to reply on those 2 other

tools

to get us going in the right direction? It seems like the private key

file

is just useless.

>

Can someone explain? Is there more to come feature wise which will

resolve

all this? To me if I'm using the private key, I'm assuming IDEA is going

to

take care of submitting that. If my private key has a password, I expect
IDEA to ask me for the password once per IDEA session, and then cache it.

I

would like to see a timeout for the key actually added, but that's another
story.

>

Did I hit a bug, or is this how it's intended to behave?

>

Thanks
R

>
>


0
Comment actions Permalink

Olesya, it does complete. Try it on Linux, I'm having a lot more problems
there than on windows. Also Plink seems to have been put together for those
very things, try to download VanDyke's SecureSSH and use it with their
VSH.exe, it will fail right away.

On Linux unless I have the key loaded into ssh-add nothing works without a
password.

Thanks
R

"Olesya Smirnova" <lesya@intellij.com> wrote in message
news:bavjss$7od$1@is.intellij.net...

Hi, Robert!
I tested external connection on Windows with plink and I was asked for
password only when I used no ppk file.
Could you execute plink from command line?
plink.exe HOST_NAME -l USER_NAME -i PATH_TO_PPK_FILE "echo $PATH"
Was the command completed successfully?

>

--
Best regards,
Olesya Smirnova
JetBrains, Inc / IntelliJ Software
http://www.intellij.com
"Develop with pleasure!"

>
>

"Robert S. Sfeir" <robert@codepuccino.com> wrote in message
news:batgql$qil$1@is.intellij.net...

Ok, maybe I'm missing the point and someone can enlighten me.

>

I've noticed that on both Linux (with Open SSH) and Windows (with

Plink),

I

am always required to add my keys to the agent (windows) or ssh-add

(Linux)

before I can automatically connect to a remote ssh cvs server

(sourceforge

in my case). If I don't use the agent or do a ssh-add, then I'm always
asked for the password.

>

Am I missing something here? What the heck are we specifying the

location

and name of the private key file, if we need to reply on those 2 other

tools

to get us going in the right direction? It seems like the private key

file

is just useless.

>

Can someone explain? Is there more to come feature wise which will

resolve

all this? To me if I'm using the private key, I'm assuming IDEA is

going

to

take care of submitting that. If my private key has a password, I

expect

IDEA to ask me for the password once per IDEA session, and then cache

it.

I

would like to see a timeout for the key actually added, but that's

another

story.

>

Did I hit a bug, or is this how it's intended to behave?

>

Thanks
R

>
>

>
>


0

Please sign in to leave a comment.