Automated SSH with passwords

A few months ago, I talked about setting up automated Subversion access using SSH. This is especially important if you are using an automated build server. (Couldn’t resist the shameless plug 🙂 )

One requirement of that discussion was that you needed to be using key-based authentication for your SSH access. So what if you’re not using keys? This is exactly the situation that has arisen this week with adding a new project to CCNetLive . We want to build a new project, from a new Subversion server, using SSH and password-based authentication, without messing up the SSH configuration for the existing projects on the machine (so no project-specific machine-global settings are allowed.) So how to do this?

I went through various attempts at doing this before realising how easy Subversion makes it!

First of all, make sure your new SSH connection is working correctly. In Windows, this means using Putty to connect using your SSH user name and password, and saving the server’s key. This is a vital step otherwise your connection will hang later as in the background it will be asking you to confirm the identity of the server.

Next, find your user’s Subversion config file. On Windows, this is normally in something like C:\Windows\Documents And Settings\Your UserName\Application Data\Subversion\. Find the [tunnels] section, and add a line something like:

myprojectssh = c:\tools\putty\plink.exe -l YourSSHUser -pw YourSSHPassword

The myprojectssh is the name of your Subversion scheme and you can use this scheme instead of the normal ssh scheme, so you would use a command something like svn checkout svn+myprojectssh:// . Notice you don’t need to re-specify your user name. Obviously, you should change myprojectssh, YourSSHUser and YourSSHPassword for your setup, as well as the location of plink. The double back-slashes are important – check the note that should be in your Subversion config file for more details.

This Subversion scheme works because the whole -l abc -pw xyz part gets passed through to Plink, and plink understands what -l and -pw mean. If your command line SSH client uses different parameters for users and passwords you should substitute them as necessary.

There’s a couple of things to note with all this. Firstly, your SSH credentials are being stored unencrypted in a text file on your machine, so you should make sure your Subversion config file is secured somehow. It may be enough to make sure its only visible by the individual user, but you might also want to consider using an encrypted disk. Secondly, this solution should only be used where you can’t use SSH keys for some reason. Key-based SSH authentication is a far better option, security wise, than password-based authentication.