Bzr and SSH
Unix, Linux and OS X
A common requirement is to prevent the need to enter a password for each and every Bazaar command when using bzr+ssh:// or sftp:// transports. On Unix, bzr is able to use the same settings as the system-installed 'ssh' client. Thus, using bzr+ssh:// or sftp:// transport to access a remote branch follows the same procedure as for setting up authorization for a shell login.
There are two ways to configure your SSH client to prevent the need to enter a password for each login:
- Login to the remote machine with a master connection - future logins will reuse this existing master connection.
- Use the ssh-agent program to cache public/private key authentication details.
The first approach is somewhat easier to setup as you do not need to configure your ssh-agent program or generate a public/private key pair, if you don't already have one. It also means a new connection to the server does not need to be established for each and every command so it gives a speed boost.
Using a master connection
Before you can use a master connection you will need to configure your client so that it knows how to communicate with the master connection. This is done by specifying the path to a socket that will be used for communication purposes. Add the following lines to the ~/.ssh/config file (or create the file if it does not exist):
# Where to find the control path, if we have one Host * ControlPath ~/.ssh/master-%r@%h:%p
You can then open a master connection to the server using the -M option:
ssh -M firstname.lastname@example.org
As long as this master connection is not closed (i.e you do not exit the shell) you will be able to login to the machine without a password. It is also possible to configure ssh such that it always opens a master connection if there isn't already one open. This means you do not even need to pass the -M option to ssh. To do this add the following option to ~/.ssh/config:
Generate Public/Private key pair
If you have not done so previously, on the client use 'ssh-keygen':
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/example/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/example/.ssh/id_rsa. Your public key has been saved in /home/example/.ssh/id_rsa.pub. The key fingerprint is: 49:c7:90:63:82:34:be:94:d5:ce:c9:ec:15:e7:06:c8 example@localhost
Upload your public key
If the ssh-copy-id command is installed then using that is the easiest way to upload your key to the server. You just need to enter:
If this command is not installed then you can also upload the key manually:
- Log into the host containing the remote branch.
- On the remote host, edit the file ~/.ssh/authorized_keys.
- Each line of this file contains the public half of the public/private key pair which is authorized to log in.
- Use a text editor to copy the contents of your local /home/example/.ssh/id_rsa.pub to the ~/.ssh/authorized_keys file on the remote server. Ensure that there are no line breaks, the key must all be on a single line. Save the file.
Test that your client is now authorized by logging in again via ssh to the account. Assuming that works, you should now be able to use bzr+ssh:// and sftp:// to access branches on the remote host without requiring a password.
Like Unix, on Windows in order to avoid having to enter a password with the bzr+ssh:// and sftp:// transports you must create a public/private key pair and add it to the authorized_keys file on the remote server.
However, configuring bzr to find and use the correct key pair can be done in different ways, and may be slightly more complicated than on Unix. The following instructions assume that you used the standalone Windows installer, not the Python-based installer.
Using the Unix way
On many Windows systems you can use a method analogous to what is described above for Unix systems. To generate the key pair, either use the ssh-keygen tool from a nearby Unix machine or install Cygwin on your Windows machine to provide ssh-keygen locally.
Edit the ~/.ssh/authorized_keys file on the server just as described for Unix. Then add the id_rsa file to your Windows account the same way as is done in Unix, by:
locate your home directory (something like C:\Documents and Settings\<username> and usually pointed out by the environment variables %HOMEDRIVE%\%HOMEPATH% or %USERPROFILE%)
- if needed, create a ".ssh" sub-directory in the home directory (Windows Explorer may complain about names starting with ".", use a command prompt instead)
- add the private key file id_rsa to the .ssh directory
Using Puttygen and Pageant
If you don't succeed with the above, Bzr can use the "pageant" program (a part of the PuTTY package) to supply it with the key pair it will use to authenticate itself to the remote host.
Download PuTTY here. You need, at minimum, pageant.exe and puttygen.exe.
- Run puttygen.exe.
- In the "Parameters" area select "SSH-2 RSA" and set the "Number of bits in a generated key" to 1024
- Push "Generate" and follow the instructions.
Select "Export OpenSSH Key" from the "Conversions" menu and save the file as C:\Documents and Settings\<username>\.ssh\id_rsa
Push "Save public key" and save the file e.g. <username>-<hostname>.pub
Copy the text from the "Public key for pasting..." box into a new text file and save e.g. <username>-<hostname>.asc
The .pub file can be uploaded to a public key server. The contents of the .asc file can be added to the authorized_key file on a remote server.
Run pageant.exe. This will create an icon in the system tray of a computer with a hat (?) on it. Click on that icon. This will open a window titled "Pageant Key List". Select "Add Key". It will then prompt you for a private key file, which should be the key you generated and saved in the previous step.
Now log in to the remote host.
On the remote host, edit the file ~/.ssh/authorized_keys. Each line of this file contains the public half of the public/private key pair which is authorized to log in.
Use a text editor to copy the contents of the public key you just generated (which can be copy-and-pasted from puttygen, or from the contents of the public key file you saved) to the ~/.ssh/authorized_keys file on the remote server. Ensure that there are no line breaks, the key must all be on a single line. Save the file.
Test that your client is now authorized by logging in again via ssh (using PuTTY) to the account. Assuming that works, you should now be able to use bzr+ssh:// and sftp:// to access branches on the remote host without requiring a password.