[updated 1999-10-01 for Cygwin/NT users]

Converting from cvs and cvsh with rsh to ssh

Using cvs via ssh instead of rsh is easy, but there is some initial setup effort. We will discuss setup on the client end separately from the server end, after some general issues.

General Issues

Authentication using ssh can be setup two ways.

$HOME/.shosts file
$HOME/.ssh/authorized_keys file

The first temptation when converting from rsh to ssh is to simply convert the .rhosts file on the cvsuser account to a .shosts file, and let users come in with ssh instead of rsh. However in this configuration, no remote-user-name information is available to the cvs server end, and we cannot do user-based authentication in the fashion that our existing setups tend to use.

So using an authorized_keys file with one key per user is recommended, and this is what is described below.

Clients

Make sure ssh is installed on your system. These instructions have been tested with openssh version 3.5, you can check what version you have by running
```
ssh -V
```
If you don't have one, create an ssh key pair, by running:
```
ssh-keygen -t rsa1
```
It will ask you for a passphrase to keep your private key encrypted. Do not use your system password, etc. for this passphrase, rather pick a nice long phrase, but one you can remember. You can change it later with
```
ssh-keygen -p
```
This will create $HOME/.ssh/identity and $HOME/.ssh/identity.pub, which are your private and public keys, respectively. You should copy these key files (or even your whole .ssh directory) to whatever computer accounts you have, so that you can establish your key authentication from that account.

Cygwin/NT users unfortunately currently must have a key with an empty passphrase (until certain Cygwin bugs are either fixed or worked around). They should use a separate key for their NT accounts than their others, and use directory/file permissions to keep the key file as safe as possible.
If you haven't already, add this to your $HOME/.profile on your UNIX accounts (currently we cannot do this on Cygwin/NT).
```
    CVS_RSH=ssh
    export CVS_RSH
    if [ x$SSH_AUTH_SOCK = x ]
    then
        echo Doing ssh stuff...
        eval `ssh-agent`
        ssh-add
    fi
    
```
and this to your $HOME/.login
```
    setenv CVS_RSH ssh
    if ( ! $?SSH_AUTH_SOCK ) then
        echo Doing ssh stuff...
        eval `ssh-agent -c`
        ssh-add
    endif
    
```
Finally, you may need, in your $HOME/.ssh/config file:
```
Host cdcvs.fnal.gov
ForwardAgent true
```
To make sure your ssh-agent connection is forwarded to cdcvs. Cygwin/NT users should instead set:
```
   CVS_RSH=ssh-cvs
```
in their $HOME/.bashrc and make sure that their CVSROOT starts with :ext:.
In any case, after adding these to your .login, .profile or .bashrc as appropriate, users should source the file, or log out and log back in.
Send your $HOME/.ssh/identity.pub file to the adminstrator of the cvs repository you are using, and have them append it to the $HOME/.ssh/authorized_keys file of the cvs repository account.
Send it as an email attachment, so the very long text line doesn't get broken up at the wrong places.

Servers

Make sure ssh is installed, and sshd is running.
Install the new cvsh on your system as the login shell for the cvs server account. Look in /etc/passwd for the path to the login shell.
```
    $ upd install cvsh -G -c
    $ setup cvsh
    $ cp $CVSH_DIR/bin/cvsh /path/to/cvs/account/login/shell
    
```
Create a $HOME/.ssh/authorized_keys file in the cvs server account with the public keys of any users who you want to let in.
Once you're sure you have folks who should be able to get access via ssh, remove the .rhosts file from the cvs server account.

If your users coming in via ssh are showing up as the cvs server account rather than their own user name, check that "/usr/local/bin/ssh-add" is of recent vintage.