Project

General

Profile

Ssh notes » History » Version 1

Marc Mengel, 02/15/2010 10:07 AM

1 1 Marc Mengel
h1. Ssh notes
2 1 Marc Mengel
3 1 Marc Mengel
When using ssh to access repositories on cdcvs, you have pretty much two possibilities, 
4 1 Marc Mengel
authenticating with Kerberos, or with public key access.  Not configuring this right
5 1 Marc Mengel
tends to get you errors like:
6 1 Marc Mengel
7 1 Marc Mengel
* scripts telling you "cvsuser" isn't allowed to commit to a repository
8 1 Marc Mengel
9 1 Marc Mengel
* 
10 1 Marc Mengel
11 1 Marc Mengel
h2. kerberos configuration
12 1 Marc Mengel
13 1 Marc Mengel
To make sure your ssh client forwards credentials to make our who-is-this-user
14 1 Marc Mengel
scripts and restricted login shell happy, please add:
15 1 Marc Mengel
<pre>
16 1 Marc Mengel
host cdcvs.fnal.gov
17 1 Marc Mengel
 ForwardX11 = no
18 1 Marc Mengel
 GSSAPIAuthentication yes
19 1 Marc Mengel
 GSSAPIDelegateCredentials yes
20 1 Marc Mengel
</pre>
21 1 Marc Mengel
22 1 Marc Mengel
to your $HOME/.ssh/config file and all should be well.
23 1 Marc Mengel
24 1 Marc Mengel
h2. public key access
25 1 Marc Mengel
26 1 Marc Mengel
27 1 Marc Mengel
* Make sure ssh is installed on your system. These instructions have been tested with openssh version 3.5, you can check what version you have by running
28 1 Marc Mengel
29 1 Marc Mengel
<pre>
30 1 Marc Mengel
      ssh -V
31 1 Marc Mengel
</pre>
32 1 Marc Mengel
33 1 Marc Mengel
* If you don't have one, create an ssh key pair, by running:
34 1 Marc Mengel
35 1 Marc Mengel
  <pre>
36 1 Marc Mengel
      ssh-keygen 
37 1 Marc Mengel
  </pre>
38 1 Marc Mengel
39 1 Marc Mengel
  It will ask you for a passphrase to keep your private key encrypted. Do not use your system password, etc. for this    passphrase, rather pick a nice long phrase, but one you can remember. You can change it later with
40 1 Marc Mengel
41 1 Marc Mengel
  <pre>
42 1 Marc Mengel
      ssh-keygen -p
43 1 Marc Mengel
  </pre>
44 1 Marc Mengel
45 1 Marc Mengel
  This will create $HOME/.ssh/id_dsa and $HOME/.ssh/id_dsa.pub, which are your private and public keys, respectively. You should copy these key files (or even your whole .ssh directory) to whatever computer accounts you have, so that you can establish your key authentication from that account.  And of course you should keep the id_dsa file readable only by you.
46 1 Marc Mengel
47 1 Marc Mengel
  Cygwin/NT users unfortunately currently must have a key with an empty passphrase (until certain Cygwin bugs are either fixed or worked around). They should use a separate key for their NT accounts than their others, and use directory/file permissions to keep the key file as safe as possible.
48 1 Marc Mengel
49 1 Marc Mengel
* If you haven't already, add this to your $HOME/.profile on your UNIX accounts (currently we cannot do this on Cygwin/NT).
50 1 Marc Mengel
51 1 Marc Mengel
  <pre>
52 1 Marc Mengel
          CVS_RSH=ssh
53 1 Marc Mengel
          export CVS_RSH
54 1 Marc Mengel
          if [ x$SSH_AUTH_SOCK = x ]
55 1 Marc Mengel
          then
56 1 Marc Mengel
              echo Doing ssh stuff...
57 1 Marc Mengel
              eval `ssh-agent`
58 1 Marc Mengel
              ssh-add
59 1 Marc Mengel
          fi
60 1 Marc Mengel
  </pre>         
61 1 Marc Mengel
62 1 Marc Mengel
  and this to your $HOME/.login
63 1 Marc Mengel
64 1 Marc Mengel
  <pre>
65 1 Marc Mengel
          setenv CVS_RSH ssh
66 1 Marc Mengel
          if ( ! $?SSH_AUTH_SOCK ) then
67 1 Marc Mengel
              echo Doing ssh stuff...
68 1 Marc Mengel
              eval `ssh-agent -c`
69 1 Marc Mengel
              ssh-add
70 1 Marc Mengel
          endif
71 1 Marc Mengel
          
72 1 Marc Mengel
  </pre>
73 1 Marc Mengel
74 1 Marc Mengel
  Finally, you may need, in your $HOME/.ssh/config file:
75 1 Marc Mengel
76 1 Marc Mengel
  <pre>
77 1 Marc Mengel
Host cdcvs.fnal.gov
78 1 Marc Mengel
    ForwardX11 = no
79 1 Marc Mengel
    ForwardAgent true
80 1 Marc Mengel
  </pre>
81 1 Marc Mengel
82 1 Marc Mengel
  To make sure your ssh-agent connection is forwarded to cdcvs. Cygwin/NT users should instead set:
83 1 Marc Mengel
84 1 Marc Mengel
         CVS_RSH=ssh-cvs
85 1 Marc Mengel
86 1 Marc Mengel
  in their $HOME/.bashrc and make sure that their CVSROOT starts with :ext:.
87 1 Marc Mengel
88 1 Marc Mengel
  In any case, after adding these to your .login, .profile or .bashrc as appropriate, users should source the file, or log out and log back in.
89 1 Marc Mengel
90 1 Marc Mengel
* Send your $HOME/.ssh/id_dsa.pub file to the adminstrator of the cvs repository you are using, and have them append it to the $HOME/.ssh/authorized_keys file of the cvs repository account.
91 1 Marc Mengel
92 1 Marc Mengel
  Send it as an email attachment, so the very long text line doesn't get broken up at the wrong places.