Launchpad code imports

Manual intervention needed to set up code import over empty-password SSH

Bug #726834 reported by Max Bowsher
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Launchpad code imports
Fix Released
High
Colin Watson

Bug Description

This is a pretty obscure corner case, but lifeless asked me to file a bug in https://answers.launchpad.net/launchpad/+question/117193

In some fairly rare cases, seemingly limited to BSD OSes, anonymous CVS access is provided over SSH with an empty password. In such a situation, it is necessary to ask the LOSAs to accept the SSH host key into the ~importd/.ssh/known_hosts store before code imports can work.

Technically the same situation could exist for non-CVS code imports, but svn and git provide non-SSH anonymous serving options that are considerably less flaky than cvs pserver, so the issue is unlikely to ever arise.

See original description

Related branches

~cjwatson/lp-codeimport:cvs-no-host-key-check
Tom Wardill (community): Approve
Diff: 70 lines (+12/-1)
5 files modified
charm/lp-codeimport/reactive/lp-codeimport.py (+1/-1)
charm/lp-codeimport/scripts/ssh-no-host-key (+2/-0)
charm/lp-codeimport/templates/codeimport-lazr.conf.j2 (+1/-0)
lib/lp/services/config/schema-lazr.conf (+5/-0)
scripts/code-import-worker.py (+3/-0)
Robert Collins (lifeless)
tags: added: canonical-losa-lp
Changed in launchpad:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Thorsten Glaser (mirabilos) wrote :

It might be enough to run things like this:

ssh -o 'StrictHostKeyChecking no' -l _anoncvs anoncvs.mirbsd.org

It’s almost certainly possible to create a script like this:

#!/bin/sh
exec /usr/bin/ssh -o 'StrictHostKeyChecking no' "$@"

… and put it either into the $PATH as ssh, or export CVS_RSH=/path/to/this/script in order to get the checking done automatically, unless the keys do change.

Revision history for this message
Thorsten Glaser (mirabilos) wrote :

I’d like to know why Curtis Hovey <email address hidden> is of the opinion that LP doesn’t support cvs over ssh, while this is being processed here, and how he thinks LP can import code from CVS servers over an unencrypted, not authenticated protocol reliably.

Revision history for this message
Robert Collins (lifeless) wrote :

Many CVS servers only offer :pserver:, so its entirely out of our hands whether we can do :ext: or not for a given server. If memory serves me correctly we do support :ext:.

Revision history for this message
Martin Pool (mbp) wrote : Re: [Bug 726834] Re: LOSA intervention needed to set up code import over empty-password SSH

On 6 April 2011 17:41, Thorsten Glaser <email address hidden> wrote:
> I’d like to know why Curtis Hovey <email address hidden> is of the
> opinion that LP doesn’t support cvs over ssh, while this is being
> processed here,

What does "this is being processed here" mean in this sentence?

Martin Pool (mbp)
tags: added: code-import
Robert Collins (lifeless)
tags: added: easy
Curtis Hovey (sinzui)
description: updated
Max Bowsher (maxb)
description: updated
Colin Watson (cjwatson)
affects: launchpad → lp-codeimport
Colin Watson (cjwatson)
Changed in lp-codeimport:
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson)
Changed in lp-codeimport:
status: In Progress → Fix Committed
Colin Watson (cjwatson)
summary: - LOSA intervention needed to set up code import over empty-password SSH
+ Manual intervention needed to set up code import over empty-password SSH
Changed in lp-codeimport:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.