This is Anders Nordby's guide to using WinCVS with SSH authentication (as opposed to pserver authentication).

Introduction

The best SSH implementation for Windows is, as far as I know, putty. Its usability, quality, ease of use etc. is good. You'll need to download the programs putty, pageant, puttygen and plink from its homepage.

Generating your keys

First, start puttygen:

We'll be using it to generate your public and private key, which will be used for authenticating with the SSH based CVS server/repository.

First, click "Generate" to have your key generated. You'll be asked to move the mouse pointer around on the window, which will give the program some initial random data to chew on. Then, type in a secret passphrase (password) in the "key passphrase" textbox and repeat it in the one below. Keep this for yourself. It should be a good password with random characters (uppercase and lowercase), and should also contain numbers. Then click "Save" and pick a safe location (you are storing your private key, the secret part of your key), a place where it won't be tampered with or used by unauthorized personnel. Also select the public part of the key ("Public key for pasting into authorized_keys file"), right-click and copy the contents to your clipboard.

Send your public key, and your desired login name to Florian Hackenberger by mail and let him put it where it should be *gg*. Then wait for his return mail and continue afterwards.

Using pageant, the SSH key authentication agent

Pageant is your friend. It will do your authentication so you don't have to type password for every CVS operation. First, start it:

Next, rightclick its new icon in the tray, and select add key:

Locate your private key, and type inn the passphrase you used when generating the key with puttygen. Now you'll be able to log in directly to your CVS account without typing passwords. This may be a security problem, please make sure you read this document entirely -- there are security considerations you need to know in the end of it.

Creating a putty saved session for WinCVS to use

Start putty:

Type in the hostname of your CVS server, click SSH, type in a session name, and click Save.

Then exit putty.

Using WinCVS with your new SSH setup

I assume you have already installed a recent version of WinCVS downloaded from www.wincvs.org. As I write this, I am currently using WinCVS 1.2. Start it.

Click Admin/Preferences.

Type in the CVSROOT. It should be your username, @, the SSH session name you stored in putty, a colon, and the path for the CVS repository on the CVS server. Select SSH server for authentication.

Click the Ports tab, check the checkbox for "Check for an alternate rsh name", and type in the full path for your plink program (downloaded from the putty pages). Click OK. This is it. You should be able to check out files and work with WinCVS as normal. Securely (authenticated and encrypted), too. You do not need to use Login and Logout on the Admin menu, putty and friends do that stuff for you.

Additional information

As you can see, this document does not attempt to explain the usage of WinCVS or CVS in general. Try www.wincvs.org or www.cvshome.org for more information about this.

Security considerations
 

Please. Do make sure the security and integrity of the host using WinCVS and plink/pageant is good. Put your keys and work on a local filesystem, and make sure only authorized personnel has access to the host. You are accessing a CVS repository, which most likely is a very valuable and also unfortunately vulnerable system. Losing the CVS servers data, the password you use to access the CVS server or your SSH keys to unauthorized personnel must not happen.
  Make sure you configure Putty to use SSH protocol versioin 2. SSH1 is known to have fundamental flaws (and may or may not be subject to for example man in the middle attacks) and is very much so not ideal -- even though SSH1 based servers are still developed and fixed for known weaknesses.
  I wrote a small shell script that which you can use for login shell for users that are only supposed to use CVS and nothing else. It can be found here. I make no guarantees of the security of this script, but it should be better to use it than to give full SSH login access to users that you only want to be able to use CVS. Make sure your SSH daemon software is up to date. I recommend OpenSSH.

Feedback

If you have any comments, additions or find anything wrong, please let me know.

Also check my CVS page, which intends to be a generally useful page about CVS and related tools.
Last modified: Thu Mar 06 21:58:28 CET 2003