Project

General

Profile

Ssh notes » History » Version 2

« Previous - Version 2/9 (diff) - Next » - Current version
Marc Mengel, 02/15/2010 10:12 AM


Ssh notes

When using ssh to access repositories on cdcvs, you have pretty much two possibilities,
authenticating with Kerberos, or with public key access. Not configuring this right
tends to get you errors like:

  • scripts telling you "cvsuser" isn't allowed to commit to a repository
  • (others?)

kerberos configuration

To make sure your ssh client forwards credentials to make our who-is-this-user
scripts and restricted login shell happy, please add:

host cdcvs.fnal.gov
 ForwardX11 = no
 GSSAPIAuthentication yes
 GSSAPIDelegateCredentials yes

to your $HOME/.ssh/config file and all should be well.

public key access

  • Make sure ssh is installed on your system. These instructions have been tested with openssh version 3.5, you can check what version you have by running
      ssh -V
  • If you don't have one, create an ssh key pair, by running:

          ssh-keygen 
      

    It will ask you for a passphrase to keep your private key encrypted. Do not use your system password, etc. for this    passphrase, rather pick a nice long phrase, but one you can remember. You can change it later with
          ssh-keygen -p
      
    This will create $HOME/.ssh/id_dsa and $HOME/.ssh/id_dsa.pub, which are your private and public keys, respectively. You should copy these key files (or even your whole .ssh directory) to whatever computer accounts you have, so that you can establish your key authentication from that account.  And of course you should keep the id_dsa file readable only by you.
    Cygwin/NT users unfortunately currently must have a key with an empty passphrase (until certain Cygwin bugs are either fixed or worked around). They should use a separate key for their NT accounts than their others, and use directory/file permissions to keep the key file as safe as possible.
  • If you haven't already, add this to your $HOME/.profile on your UNIX accounts (currently we cannot do this on Cygwin/NT).

              CVS_RSH=ssh
              export CVS_RSH
              if [ x$SSH_AUTH_SOCK = x ]
              then
                  echo Doing ssh stuff...
                  eval `ssh-agent`
                  ssh-add
              fi
      

    and this to your $HOME/.login
              setenv CVS_RSH ssh
              if ( ! $?SSH_AUTH_SOCK ) then
                  echo Doing ssh stuff...
                  eval `ssh-agent -c`
                  ssh-add
              endif
    
      
    Finally, you may need, in your $HOME/.ssh/config file:
    Host cdcvs.fnal.gov
        ForwardX11 = no
        ForwardAgent true
      
    To make sure your ssh-agent connection is forwarded to cdcvs. Cygwin/NT users should instead set:
    CVS_RSH=ssh-cvs
    in their $HOME/.bashrc and make sure that their CVSROOT starts with :ext:.
    In any case, after adding these to your .login, .profile or .bashrc as appropriate, users should source the file, or log out and log back in.
  • Send your $HOME/.ssh/id_dsa.pub file to the adminstrator of the cvs repository you are using, and have them append it to the $HOME/.ssh/authorized_keys file of the cvs repository account.

    Send it as an email attachment, so the very long text line doesn't get broken up at the wrong places.