SSH Tips

by Alistair Bayley

There seem to be three separate pieces of software at work (there are probably more, but these are the major players I can identify).

TortoiseCVS doesn't actually do anything directly with the CVS server; it invokes CVSNT, which in turn uses SSH (TortoisePlink) if you specify the :ext: protocol. SSH is required for sf.net CVS access.

Note: as of version 1.6.7, TortoisePlink supports HTTP proxy just like plink. I wrote these instructions when I could only use plink, but I believe everything I've said about plink is true for TortoisePlink.

Firewalls and proxy servers

I have to work from behind a firewall. I only have access to the internet (web browsing) via a proxy server. It took a while to figure out how to get SSH working.

The problem: ssh uses port 22. This is typically blocked by firewalls (fair enough). You can tell ssh to use another port with the -P option. SourceForge provides ssh servers on ports 80 and 443 on cvs-ssh.sf.net, specifically for users with these firewall restrictions. Many organisations open these ports for internet access (port 80 is the typical port used for HTTP i.e. standard web browser requests; port 443 is the default port for HTTPS - secure HTTP).

Fine, you say; use port 80. However, I do not have direct access to the internet at all (i.e. to me all ports appear blocked). I must use a proxy server to access the internet, and so I need an SSH client that supports HTTP Proxy tunnelling. Fortunately both PuTTY and TortoisePlink now both do this.

We must create a PuTTY session that uses HTTP proxy, and save it with a name. Plink uses the saved session details to connect to SourceForge via the proxy.

The steps below are summarised as:

  1. Create PuTTY saved session and activate account
  2. Create and post SSH keys
  3. Start and test Pageant
  4. Test that plink uses Pageant
  5. Invoke plink from TortoiseCVS

Step 1

After getting a sf.net account, you are meant to say: 
	ssh -l username cvs.sf.net
to activate your account (using the same password as with your web-browser). That is, you log in via SSH just once to activate your account. SourceForge allows you to log in, and then spits you out immediately.

You'll need to install PuTTY; I got it from here. I just unzipped and copied the files into the TortoiseCVS folder (because I'm lazy). Puttygen.exe is the only clash/update.

Run putty.exe:

Session:
   Host name:cvs-ssh.sf.net
Port:80
Saved sessions:cvs-ssh
Close window on exit:Never
Connection:
Auto-login username:<your sf.net username>
Connection / Proxy:
Proxy type:HTTP
Proxy hostname:<proxy address/name>
Port:<proxy port>

Click Save (to save the session with name "cvs-ssh"). Test by clicking Open. It should log on to SourceForge (so type your password) and then close immediately.

Step 2

Run puttygen.exe and create public and private keys. Save them on a local drive (safer), with a passphrase. Copy the public key to your clipboard, from the field in puttygen labelled "Public key for pasting into OpenSSH authorized keys file:". Don't copy the key from the public key file; it's in the wrong format for SourceForge. Use the Account Maintenance page to post the public key to SourceForge:
http://sourceforge.net/account/
I've waited for up to 90 minutes for keys to be updated on the CVS servers, so be patient.

Step 3

Run Pageant; it doesn't appear to do anything, but a new icon will appear in the system tray (taskbar). Right-click and Add Key (to add the private key you just created); you'll have to enter the passphrase.

Right click on the Pageant icon again and Saved Sessions -> <your session>. It should connect with your SSH key i.e. no password.

Step 4

Invoke plink from the NT (*not* Cygwin) command line: 
	plink.exe
Or: 
	plink.exe -l
Due to some obscure bug, plink won't use Pageant keys if invoked from a Cygwin shell.

Step 5

Configure Tortoise to use plink.exe. The command line parameters are empty. The CVSROOT will be something like: 
	:ext:@:/cvsroot/haskell-libs

Further hints and tips

Module path

What module path to specify isn't obvious. Trial and error reveals that the module name is the bit after the project name from: 
	http://project.cvs.sourceforge.net/viewcvs.py/<project>/<module-name>
So this URL: 
	http://haskell-libs.cvs.sourceforge.net/viewcvs.py/haskell-libs/libs/takusen/
would relate to: 
	CVSROOT=:ext:@cvs-ssh.sf.net:/cvsroot/haskell-libs
	module=libs/takusen
(Note that there's no leading slash on the module name.) This might seem obvious now but it wasn't at first.

Make new module

Put your new module in a new folder. Inside the new folder right-click -> CVS -> Make New Module... In the module field put: libs/<my-new-module>. You aren't required to maintain the same module structure as the CVS server on your own file system (CVS keeps track of which module the files were checked out from), but it might be wise to do so, to avoid confusion.