Project

General

Profile

Ssh notes » History » Version 3

Marc Mengel, 02/15/2010 10:14 AM

1 1 Marc Mengel
h1. Ssh notes
2 1 Marc Mengel
3 1 Marc Mengel
When using ssh to access repositories on cdcvs, you have pretty much two possibilities, 
4 1 Marc Mengel
authenticating with Kerberos, or with public key access.  Not configuring this right
5 1 Marc Mengel
tends to get you errors like:
6 1 Marc Mengel
7 3 Marc Mengel
* cvs check_access scripts telling you '"cvsuser" isn't allowed to commit to whatever'
8 1 Marc Mengel
9 3 Marc Mengel
* svn errors like:
10 3 Marc Mengel
  <pre>
11 3 Marc Mengel
 sh: -c: line 0: syntax error near unexpected token `('
12 3 Marc Mengel
 sh: -c: line 0: `svnserve --tunnel-user (null)  -t'
13 3 Marc Mengel
  </pre>
14 1 Marc Mengel
15 1 Marc Mengel
h2. kerberos configuration
16 1 Marc Mengel
17 1 Marc Mengel
To make sure your ssh client forwards credentials to make our who-is-this-user
18 1 Marc Mengel
scripts and restricted login shell happy, please add:
19 1 Marc Mengel
<pre>
20 1 Marc Mengel
host cdcvs.fnal.gov
21 1 Marc Mengel
 ForwardX11 = no
22 1 Marc Mengel
 GSSAPIAuthentication yes
23 1 Marc Mengel
 GSSAPIDelegateCredentials yes
24 1 Marc Mengel
</pre>
25 1 Marc Mengel
26 1 Marc Mengel
to your $HOME/.ssh/config file and all should be well.
27 1 Marc Mengel
28 1 Marc Mengel
h2. public key access
29 1 Marc Mengel
30 1 Marc Mengel
31 1 Marc Mengel
* Make sure ssh is installed on your system. These instructions have been tested with openssh version 3.5, you can check what version you have by running
32 1 Marc Mengel
33 1 Marc Mengel
<pre>
34 1 Marc Mengel
      ssh -V
35 1 Marc Mengel
</pre>
36 1 Marc Mengel
37 1 Marc Mengel
* If you don't have one, create an ssh key pair, by running:
38 1 Marc Mengel
39 1 Marc Mengel
  <pre>
40 1 Marc Mengel
      ssh-keygen 
41 1 Marc Mengel
  </pre>
42 1 Marc Mengel
43 1 Marc Mengel
  It will ask you for a passphrase to keep your private key encrypted. Do not use your system password, etc. for this    passphrase, rather pick a nice long phrase, but one you can remember. You can change it later with
44 1 Marc Mengel
45 1 Marc Mengel
  <pre>
46 1 Marc Mengel
      ssh-keygen -p
47 1 Marc Mengel
  </pre>
48 1 Marc Mengel
49 1 Marc Mengel
  This will create $HOME/.ssh/id_dsa and $HOME/.ssh/id_dsa.pub, which are your private and public keys, respectively. You should copy these key files (or even your whole .ssh directory) to whatever computer accounts you have, so that you can establish your key authentication from that account.  And of course you should keep the id_dsa file readable only by you.
50 1 Marc Mengel
51 1 Marc Mengel
  Cygwin/NT users unfortunately currently must have a key with an empty passphrase (until certain Cygwin bugs are either fixed or worked around). They should use a separate key for their NT accounts than their others, and use directory/file permissions to keep the key file as safe as possible.
52 1 Marc Mengel
53 1 Marc Mengel
* If you haven't already, add this to your $HOME/.profile on your UNIX accounts (currently we cannot do this on Cygwin/NT).
54 1 Marc Mengel
55 1 Marc Mengel
  <pre>
56 1 Marc Mengel
          CVS_RSH=ssh
57 1 Marc Mengel
          export CVS_RSH
58 1 Marc Mengel
          if [ x$SSH_AUTH_SOCK = x ]
59 1 Marc Mengel
          then
60 1 Marc Mengel
              echo Doing ssh stuff...
61 1 Marc Mengel
              eval `ssh-agent`
62 1 Marc Mengel
              ssh-add
63 1 Marc Mengel
          fi
64 1 Marc Mengel
  </pre>         
65 1 Marc Mengel
66 1 Marc Mengel
  and this to your $HOME/.login
67 1 Marc Mengel
68 1 Marc Mengel
  <pre>
69 1 Marc Mengel
          setenv CVS_RSH ssh
70 1 Marc Mengel
          if ( ! $?SSH_AUTH_SOCK ) then
71 1 Marc Mengel
              echo Doing ssh stuff...
72 1 Marc Mengel
              eval `ssh-agent -c`
73 1 Marc Mengel
              ssh-add
74 1 Marc Mengel
          endif
75 1 Marc Mengel
          
76 1 Marc Mengel
  </pre>
77 1 Marc Mengel
78 1 Marc Mengel
  Finally, you may need, in your $HOME/.ssh/config file:
79 1 Marc Mengel
80 1 Marc Mengel
  <pre>
81 1 Marc Mengel
Host cdcvs.fnal.gov
82 1 Marc Mengel
    ForwardX11 = no
83 1 Marc Mengel
    ForwardAgent true
84 1 Marc Mengel
  </pre>
85 1 Marc Mengel
86 1 Marc Mengel
  To make sure your ssh-agent connection is forwarded to cdcvs. Cygwin/NT users should instead set:
87 1 Marc Mengel
88 1 Marc Mengel
         CVS_RSH=ssh-cvs
89 1 Marc Mengel
90 1 Marc Mengel
  in their $HOME/.bashrc and make sure that their CVSROOT starts with :ext:.
91 1 Marc Mengel
92 1 Marc Mengel
  In any case, after adding these to your .login, .profile or .bashrc as appropriate, users should source the file, or log out and log back in.
93 1 Marc Mengel
94 1 Marc Mengel
* Send your $HOME/.ssh/id_dsa.pub file to the adminstrator of the cvs repository you are using, and have them append it to the $HOME/.ssh/authorized_keys file of the cvs repository account.
95 1 Marc Mengel
96 1 Marc Mengel
  Send it as an email attachment, so the very long text line doesn't get broken up at the wrong places.