| 1 |
Hello, |
| 2 |
|
| 3 |
I sent this message to Tal Peer <coredumb@g.o> (the current |
| 4 |
maintainer of cvs.eclass), but I thought others might be interested, so |
| 5 |
I am posting it here as well. Message follows: |
| 6 |
|
| 7 |
I needed SSH password authentication for app-editors/emacs-cvs, so I |
| 8 |
modified cvs.eclass to support it. |
| 9 |
|
| 10 |
See URL: http://dev.gentoo.org/~jbms/cvs.eclass |
| 11 |
|
| 12 |
As you will notice, the changes involve a rather complex hack; |
| 13 |
unfortunately, I do not believe that there is any better way to do it |
| 14 |
unless the interface to ssh changes. |
| 15 |
|
| 16 |
Additionally, dealing with the SSH known hosts file is somewhat of a |
| 17 |
problem. If no additional options are passed to SSH, in many cases it |
| 18 |
is expected that the user would not have added the keys for the relevant |
| 19 |
host to /root/.ssh/known_hosts before running the ebuild command; thus, |
| 20 |
the client would not allow the connection. |
| 21 |
|
| 22 |
In order to avoid this problem, I have added the option |
| 23 |
ECVS_SSH_NO_STRICT_HOST_CHECKING, which, if set to "1", allows the host |
| 24 |
key checking to be ignored. But, if -oStrictHostKeyChecking=no is |
| 25 |
simply appended to the SSH command-line, however, the result is that |
| 26 |
root's SSH known_hosts file is modified, which is not desirable. As a |
| 27 |
workaround, the eclass copies "${HOME}/.ssh/known_hosts" to a temporary |
| 28 |
location and specifies to SSH to use the temporary file. The result is |
| 29 |
that host key checking is disabled if the host is not already present |
| 30 |
in "${HOME}/.ssh/known_hosts" or the global known_hosts file, but |
| 31 |
non-temporary files are not modified. |
| 32 |
|
| 33 |
There still remains one minor issue, which is that if the host is |
| 34 |
present in a non-default known_hosts file which the user has specified |
| 35 |
in an ssh_config file, host checking would ideally be enabled, but |
| 36 |
because there appears to be no way to learn of a non-default known_hosts |
| 37 |
file location short of parsing the ssh_config files, the eclass in that |
| 38 |
case disables host checking. I do not believe this is a very serious |
| 39 |
problem, however. |
| 40 |
|
| 41 |
Anyway, I did not modify the comments at the top, so before committing |
| 42 |
these modifications, the comments should probably be updated. |
| 43 |
|
| 44 |
What are you thoughts? |
| 45 |
|
| 46 |
-- |
| 47 |
Jeremy Maitin-Shepard |
Archives