Re: CVS and version 9.0

From: baskitcaise (baskitcaise_at_hotmail.com)
Date: 05/01/04 

Date: Sat, 01 May 2004 12:45:04 +0100

Graham Trott wrote:

> Kevin Nathan wrote:
>
>> On Fri, 30 Apr 2004 19:31:47 +0100
>> Graham Trott <gt@pobox.com> wrote:
>>
>>> When I move the server files to 9.0,
>>> Eclipse is unable to log in with SSH
>>
>> i'm going from a, possibly inaccurate, memory here but I
>> remember someone posting about 9.x using SSH 2 and 8.2
>> using SSH 1 -- just can't remember what they said had to
>> be set to fix it. Maybe a search of this ng would find it?
>>
>>

I think it was me that posted about the ssh changing in 9.0, it was in a
root mail from the install or upgrade.

Was something on the lines of where to edit if you have probs connecting.

Will have a ferret and see if I have still got a copy on my drive, be back
in 2 ticks.......
 
> I think you may be right. Unfortunately I still can't
> persuade Eclipse to log in, so I'll go back to pserver.
> Thanks for helping.

Here it is sorry for big snippage but I think you will get the drift :-

<---------------snip------------------------>

  Dear users,

This is OpenSSH version 3.7.1p1.

There is an important change in sshd with SuSE Linux 9.0: the option
UsePrivilegeSeparation is disabled in file /etc/ssh/sshd_config, as it
had caused some problems.If you updated this package, change the line
with UsePrivilegeSeparation, in file /etc/ssh/sshd_config,
to "UsePrivilegeSeparation no", please.

The value of option ChallengeResponseAuthentication is reverted to default
value yes, which is neceserry for PAM authentication.

I this OpenSSH version is removed kerberos support from protocol SSH1,
since it has been replaced with GSSAPI, but keeps kerberos password
authentication for protocols SSH1 and SSH2. To enable Kerberos
authentication
read README.kerberos file.

Important change in sshd with SuSE Linux 8.1 is that sshd X11 forwarding
listens
on localhost by default. See sshd X11UseLocalhost option to revert to prior
behaviour if your older X11 clients do not function with this configuration.

The package openssh was splitted to openssh and the new package askpass.

OpenSSH supports two protocol versions (SSH1 and SSH2) which need to be
configured differently.
Protocol version 1 is the old protocol and protocol version 2 is the new
protocol that has several advantages from the security point of view.

Please note that the default ssh protocol version has been changed to
version 2 with SuSE Linux 8.0.

The change of the default protocol version brings one important change for
users who use identity keys for remote login with passphrases.

(Please note the difference: 'password' means a system password on a
given machine. The term 'passphrase', however, is usually used for the
string that an ssh private key is protected (encrypted) with.)

Protocol version 1 uses the key from file ~/.ssh/identity and compares
it with keys from file ~/.ssh/authorized_keys on the remote machine.

Protocol version 2 uses keys from files ~/.ssh/id_rsa or ~/.ssh/id_dsa
and they are compared with keys from file ~/.ssh/authorized_keys.
Note: Servers with OpenSSH < 2.9.9p1 use ~/.ssh/authorized_keys2 instead.

If you don't want to switch to protocol version 2 now, add a line saying
"Protocol 1,2" to /etc/ssh/ssh_config of the SuSE Linux 8.0 system to
retain the old ssh behaviour.

How to convert your environment to protocol version 2:

1) Creating the neccesary identity keys for protocol version 2:

  There are two ways:

  A) You can use your old keys for protocol 1, but you have to convert them
     to the format of protocol 2.
     This can be done with the tool ssh-keyconverter:

     Every user that will use protocol version 2 needs to do this:

         cd ~/.ssh
         ssh-keyconverter -k identity
         - at this point you will be asked for the passprase of
~/.ssh/identity
         ssh-keyconverter -a authorized_keys

     If OpenSSH < 2.9.9p1 is used on the server:

         grep ssh- authorized_keys >>authorized_keys2

     To enable login to other users with the converted protocol version 2
keys,
     the other user has to add the new ~/.ssh/id_rsa.pub to his autorized
keys.

     You can do this by script by forcing version 1 with the -1 switch:

     for host in .... ; do
       ssh -1 user@$host 'cat >> .ssh/authorized_keys' < ~/.ssh/id_rsa.pub
       ssh -1 user@$host 'cat >> .ssh/authorized_keys2' < ~/.ssh/id_rsa.pub
     done

  B) You can generate new keys for protocol 2 by "ssh-keygen -t rsa" or
     "ssh-keygen -t dsa", then add id_rsa.pub (or id_dsa.pub) to
     authorized_keys2 and copy authorized_keys2 to the remote machine. See
     "man ssh" and "man ssh-keygen" for more info.

2) Handling of protocol version 2 with ssh-agent and ssh-add:

If you continue to use protocol version 1, there is nothing to do because
the default identity is still ~/.ssh/identity.

For protocol verion 2, you have to pass the correct file (~/.ssh/id_rsa or
~/.ssh/id_dsa) to ssh-add. To support the version 1 key and the version 2
key you have to add both keys. Example:

        eval `ssh-agent -s`
        ssh-add ~/.ssh/identity ~/.ssh/id_rsa

This will add your version 1 and version 2 keys and if they have the same
passphrase, you only have to type it once.

Other changes:

The OpenSSH handling of ssh-add/ssh-askpass is solved different as
with OpenSSH 2.x You don't need to call ssh-askpass any longer. If
ssh-add is called and doesn't have a real TTY, it will launch
/usr/lib/ssh/ssh-askpass itself. Make sure that the DISPLAY variable
is always set correctly.

If you want to use ssh-agent under X windows, just edit the file .xsession
in your home directory and change usessh="no" to usessh="yes". After
loging in you only need to start ssh-add by hand, click or startup script.

If you want to use ssh-agent with startx, add the example above to your
~/.xinitrc before the window manager is started.

  Your SuSE Team

<--------------------pins-------------------------->

HTH 

-- 
Mark
Iligitimi Non Carborundum!
Twixt hill and high water, N.Wales, UK
onfxvgpnvfr-ng-tzk-qbg-pb-hx

Relevant Pages
Loading