January 23, 2007
Reusing SSH Authentication with Subversion and CVS
Since OpenSSH 4.0, the ssh client has had the capability of reusing existing open connections, bypassing authentication. I have learned that this feature, called ControlMaster, is a great benefit when connecting to a Subversion or CVS repository on a server that doesn't allow public key authentication. Without this feature, one would need to enter their password for each SVN or CVS operation when connecting to those servers.
There are two things that one must do to make use of ControlMaster with ssh.
1. Add a directive to your ~/.ssh/config file that tells ssh to use an existing ControlMaster socket if it exists and what the filename of that socket is. A simple form is:
ControlPath ~/.ssh/control-%r@%h:%pThis tells ssh to look for a control socket named "control-" followed by the remote user name, remote hostname, and remote port number. If one does not exist, no problem, ssh should behave as it normally did and not attempt to reuse a connection.
It might be a good idea to wrap that directive in a Host directive that tells it to only attempt this for certain hostnames that you specify. You could possibly run into trouble if a program you're using already sets up the ControlMaster and ControlPath for you. This directive may change the ControlPath to something such programs aren't expecting. I've not seen this myself, but I have read reports of people having trouble with a certain GUI Subversion client.
2. Start up an ssh ControlMaster connection to the server that holds your SVN or CVS repository. The simplest method is:
ssh -M hostname(The option "M" puts ssh into "master" mode for sharing connections.)
This will create the control socket at the path specified by the ssh ControlPath configuration directive and prompt you for your password. After authenticating, you will have a regular ssh session. The problems with this is that you would need to keep the session window open or active and if your session has an inactivity timeout, the session could be gone when you need it.
Sometimes a better method is to also tell ssh to run in the background and don't execute any command on the remote host. Like this:
ssh -fNM hostname(The option "f" forces ssh into the background and "N" tells it not to execute a remote command.)
It would be a good idea to assign this "ssh -fNM" command to a shell alias like "ssh-master". With this ssh master client in the background, you will need to keep track of the process yourself. You might be comfortable just using the "ps" command in a shell or maybe a process listing GUI would be helpful to you. It would be nice to have a GUI that could start and monitor these ControlMaster sessions for you, but I don't know of any now.
Lately, since I couldn't find an ssh GUI I like, I've been using a slightly different set of options:
ssh -NMv(The option "v" puts ssh into verbose mode.)
The verbose mode is the opposite of the background mode. ssh will show information about every operation it performs. I run this in a separate terminal window, so I can see that my ssh connection is still working as I'm doing other things. I've found it useful to wrap this command in a small shell script that wraps an infinite loop around ssh, followed by a prompt to press return to reconnect when ssh exits. This helps when my computer loses its connection to the server because I've moved to a different network or if my computer has been sleeping.
Finally, easiest way to try it out is open another window and use a simple ssh command to open a connection to the same hostname that you used earlier:
ssh hostnameYou shouldn't be prompted for any authentication.
The nice thing about this method is that it takes very little configuration to set up, uses a very simple command to start the ControlMaster, and any ssh command after the master one will work the way it should, but without additional authentication.
There is another ControlMaster option called "auto" that could be useful. It will use an existing control socket if it exists, or create a new one and become a ControlMaster. The problem with using that setting is if ssh is being called from an SVN or SSH client, this master session will only be around for as long as the interaction with the repository takes to complete. It would also prompt for a password, which could be a problem if the SVN or SSH client is a GUI.
Other documentation about this feature:
http://www.revsys.com/writings/quicktips/ssh-faster-connections.html
http://www.linux.com/article.pl?sid=06/05/19/145227
Posted by lsloan at 03:42 PM | Comments (0)