Gentoo Archives: gentoo-dev

From: Jeremy Maitin-Shepard <jbms@g.o>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] SSH password authentication support for cvs.eclass
Date: Sun, 28 Dec 2003 08:08:04
1 Hello,
3 I sent this message to Tal Peer <coredumb@g.o> (the current
4 maintainer of cvs.eclass), but I thought others might be interested, so
5 I am posting it here as well. Message follows:
7 I needed SSH password authentication for app-editors/emacs-cvs, so I
8 modified cvs.eclass to support it.
10 See URL:
12 As you will notice, the changes involve a rather complex hack;
13 unfortunately, I do not believe that there is any better way to do it
14 unless the interface to ssh changes.
16 Additionally, dealing with the SSH known hosts file is somewhat of a
17 problem. If no additional options are passed to SSH, in many cases it
18 is expected that the user would not have added the keys for the relevant
19 host to /root/.ssh/known_hosts before running the ebuild command; thus,
20 the client would not allow the connection.
22 In order to avoid this problem, I have added the option
23 ECVS_SSH_NO_STRICT_HOST_CHECKING, which, if set to "1", allows the host
24 key checking to be ignored. But, if -oStrictHostKeyChecking=no is
25 simply appended to the SSH command-line, however, the result is that
26 root's SSH known_hosts file is modified, which is not desirable. As a
27 workaround, the eclass copies "${HOME}/.ssh/known_hosts" to a temporary
28 location and specifies to SSH to use the temporary file. The result is
29 that host key checking is disabled if the host is not already present
30 in "${HOME}/.ssh/known_hosts" or the global known_hosts file, but
31 non-temporary files are not modified.
33 There still remains one minor issue, which is that if the host is
34 present in a non-default known_hosts file which the user has specified
35 in an ssh_config file, host checking would ideally be enabled, but
36 because there appears to be no way to learn of a non-default known_hosts
37 file location short of parsing the ssh_config files, the eclass in that
38 case disables host checking. I do not believe this is a very serious
39 problem, however.
41 Anyway, I did not modify the comments at the top, so before committing
42 these modifications, the comments should probably be updated.
44 What are you thoughts?
46 --
47 Jeremy Maitin-Shepard


Subject Author
Re: [gentoo-dev] SSH password authentication support for cvs.eclass Nick Jones <carpaski@××××××.net>