Problem

PC moved from Blue to Red Network.
Student uses CVS, via CYGWIN, to access a Remote Repository.
CVS by default uses RSH to access Remote Repositories.
Firewall, deployed between the Red and Blue Network, will not pass RSH.


Solution

Configure CVS to use SSH instead of RSH. 

Configure SSH to use automatic key exchange, so that student will not be 
continually prompted for password.


Details (SSH)

1. Generate ssh2 public/private key on CYGWIN using the following command:

   $ ssh-keygen -t dsa  

   Within CYGWIN, this generates a SSH version 2 set of keys

2. Accept default save location for key [.ssh]

3. Supply passphrase for the key

4. Copy id_dsa.pub to student's .ssh directory on the UNIX system.

5. Rename it to authorized_keys2

6. Add: from="128.100.27.*" to the beginning of the relevant key in the authorized_keys2 
   file. The IP address should be chnaged to reflect the IP address or range of IP addresses 
   the host machine is currently using. (cf Note at bottom of page for possible problems with 
   this)

7. On CYGWIN add to /etc/profile:

   eval `ssh-agent` && ssh-add .ssh/id_dsa

   This will result in the student being able to use the ssh-agent automatically. It will also 
   require them to supply the pass phrase from step 3. above when they login.


8. To determine that this works, close down CYGWIN and start it up. Supply the passphrase and 
   run the following command:

   $ ssh -2 username@qew.cs.toronto.edu

   You should be able to login without being prompted, since the ssh-agent is now handling 
   your authorization.  

Details (CVS and SSH)

1. On CYGWIN add to /etc/profile:

   export CVS_RSH=ssh

   This tells CVS to use ssh rather than RSH


2.  To determine that this works, close down CYGWIN and start it up. Supply the passphrase 
    and run the following command:

   $ CVS -d :ext:username@qew.cs.toronto.edu:/location_of_repository checkput filename



NOTES:

Weakness in OpenSSH's source IP based access control
for SSH protocol v2 public key authentication.

1. Systems affected:

        Versions of OpenSSH between 2.5.x and 2.9.x using
        the 'from=' key file option in combination with
        both RSA and DSA keys in ~/.ssh/authorized_keys2.

2. Description:

        Depending on the order of the user keys in
        ~/.ssh/authorized_keys2 sshd might fail to apply the
        source IP based access control restriction (e.g.
        from="10.0.0.1") to the correct key:

        If a source IP restricted key (e.g. DSA key) is
        immediately followed by a key of a different type
        (e.g. RSA key), then key options for the second key
        are applied to both keys, which includes 'from='.

3. Impact:

        Users can circumvent the system policy
        and login from disallowed source IP addresses.

4. Solution:

        Apply the following patch.

        This bug is fixed in OpenSSH 2.9.9

NOTES2

It is possible to configure CYGWIN so that it reads its login scripts from a mapped home directory.
The advantage to this is that this environment can be shared from machine to machine.

Under CYGWIN properties set target: c:\cygwin\bin\bash.exe -i
Set Start in: h:\