Project

General

Profile

Ssh notes » History » Version 5

Marc Mengel, 11/06/2013 12:09 PM

1 1 Marc Mengel
h1. Ssh notes
2 1 Marc Mengel
3 1 Marc Mengel
When using ssh to access repositories on cdcvs, you have pretty much two possibilities, 
4 1 Marc Mengel
authenticating with Kerberos, or with public key access.  Not configuring this right
5 1 Marc Mengel
tends to get you errors like:
6 1 Marc Mengel
7 3 Marc Mengel
* cvs check_access scripts telling you '"cvsuser" isn't allowed to commit to whatever'
8 1 Marc Mengel
9 3 Marc Mengel
* svn errors like:
10 3 Marc Mengel
  <pre>
11 3 Marc Mengel
 sh: -c: line 0: syntax error near unexpected token `('
12 3 Marc Mengel
 sh: -c: line 0: `svnserve --tunnel-user (null)  -t'
13 3 Marc Mengel
  </pre>
14 1 Marc Mengel
15 1 Marc Mengel
h2. kerberos configuration
16 1 Marc Mengel
17 1 Marc Mengel
To make sure your ssh client forwards credentials to make our who-is-this-user
18 1 Marc Mengel
scripts and restricted login shell happy, please add:
19 1 Marc Mengel
<pre>
20 1 Marc Mengel
host cdcvs.fnal.gov
21 1 Marc Mengel
 ForwardX11 = no
22 1 Marc Mengel
 GSSAPIAuthentication yes
23 1 Marc Mengel
 GSSAPIDelegateCredentials yes
24 1 Marc Mengel
</pre>
25 5 Marc Mengel
and on some newer systems,  you may also need a 
26 5 Marc Mengel
<pre>
27 5 Marc Mengel
 GSSAPITrustDNS
28 5 Marc Mengel
</pre>
29 5 Marc Mengel
in there, too.
30 5 Marc Mengel
31 1 Marc Mengel
32 4 Marc Mengel
to your @$HOME/.ssh/config@ file and all should be well.  
33 4 Marc Mengel
34 4 Marc Mengel
...However if  you have problems:
35 4 Marc Mengel
36 4 Marc Mengel
The problem is usually the clock. Check that the UTC time from
37 4 Marc Mengel
<pre>   date -u </pre>
38 4 Marc Mengel
is correct.
39 4 Marc Mengel
40 4 Marc Mengel
Do you have a valid kerberos ticket ?
41 4 Marc Mengel
<pre>   klist -f</pre>
42 4 Marc Mengel
43 4 Marc Mengel
Do you have an addressless ticket, if working behind a NAT,as is often the case outside Fermilab ?
44 4 Marc Mengel
Look for the   A   flag in the klist -f  output. To get an addressless ticket:
45 4 Marc Mengel
<pre>        kinit -A </pre>
46 4 Marc Mengel
or
47 4 Marc Mengel
<pre>        kinit -n</pre>
48 4 Marc Mengel
depending on which kinit you have
49 4 Marc Mengel
50 4 Marc Mengel
Are you using an ssh which supports kerberized ssh ?
51 4 Marc Mengel
52 4 Marc Mengel
Are you using /usr/kerberos/bin/kinit, not the JRE or java version ?
53 4 Marc Mengel
<pre>    which kinit</pre>
54 4 Marc Mengel
55 4 Marc Mengel
You can override the .ssh/config with:
56 4 Marc Mengel
<pre>    ssh -o "GSSAPIAuthentication yes" -o "GSSAPIDelegateCredentials yes" ...</pre>
57 4 Marc Mengel
58 4 Marc Mengel
To debug the connection process, do
59 4 Marc Mengel
<pre>    ssh  -v</pre>
60 4 Marc Mengel
and for really full details,
61 4 Marc Mengel
<pre>    ssh -vvv </pre>
62 1 Marc Mengel
63 1 Marc Mengel
h2. public key access
64 1 Marc Mengel
65 1 Marc Mengel
66 1 Marc Mengel
* Make sure ssh is installed on your system. These instructions have been tested with openssh version 3.5, you can check what version you have by running
67 1 Marc Mengel
68 1 Marc Mengel
<pre>
69 1 Marc Mengel
      ssh -V
70 1 Marc Mengel
</pre>
71 1 Marc Mengel
72 1 Marc Mengel
* If you don't have one, create an ssh key pair, by running:
73 1 Marc Mengel
74 1 Marc Mengel
  <pre>
75 1 Marc Mengel
      ssh-keygen 
76 1 Marc Mengel
  </pre>
77 1 Marc Mengel
78 1 Marc Mengel
  It will ask you for a passphrase to keep your private key encrypted. Do not use your system password, etc. for this    passphrase, rather pick a nice long phrase, but one you can remember. You can change it later with
79 1 Marc Mengel
80 1 Marc Mengel
  <pre>
81 1 Marc Mengel
      ssh-keygen -p
82 1 Marc Mengel
  </pre>
83 1 Marc Mengel
84 1 Marc Mengel
  This will create $HOME/.ssh/id_dsa and $HOME/.ssh/id_dsa.pub, which are your private and public keys, respectively. You should copy these key files (or even your whole .ssh directory) to whatever computer accounts you have, so that you can establish your key authentication from that account.  And of course you should keep the id_dsa file readable only by you.
85 1 Marc Mengel
86 1 Marc Mengel
  Cygwin/NT users unfortunately currently must have a key with an empty passphrase (until certain Cygwin bugs are either fixed or worked around). They should use a separate key for their NT accounts than their others, and use directory/file permissions to keep the key file as safe as possible.
87 1 Marc Mengel
88 1 Marc Mengel
* If you haven't already, add this to your $HOME/.profile on your UNIX accounts (currently we cannot do this on Cygwin/NT).
89 1 Marc Mengel
90 1 Marc Mengel
  <pre>
91 1 Marc Mengel
          CVS_RSH=ssh
92 1 Marc Mengel
          export CVS_RSH
93 1 Marc Mengel
          if [ x$SSH_AUTH_SOCK = x ]
94 1 Marc Mengel
          then
95 1 Marc Mengel
              echo Doing ssh stuff...
96 1 Marc Mengel
              eval `ssh-agent`
97 1 Marc Mengel
              ssh-add
98 1 Marc Mengel
          fi
99 1 Marc Mengel
  </pre>         
100 1 Marc Mengel
101 1 Marc Mengel
  and this to your $HOME/.login
102 1 Marc Mengel
103 1 Marc Mengel
  <pre>
104 1 Marc Mengel
          setenv CVS_RSH ssh
105 1 Marc Mengel
          if ( ! $?SSH_AUTH_SOCK ) then
106 1 Marc Mengel
              echo Doing ssh stuff...
107 1 Marc Mengel
              eval `ssh-agent -c`
108 1 Marc Mengel
              ssh-add
109 1 Marc Mengel
          endif
110 1 Marc Mengel
          
111 1 Marc Mengel
  </pre>
112 1 Marc Mengel
113 1 Marc Mengel
  Finally, you may need, in your $HOME/.ssh/config file:
114 1 Marc Mengel
115 1 Marc Mengel
  <pre>
116 1 Marc Mengel
Host cdcvs.fnal.gov
117 1 Marc Mengel
    ForwardX11 = no
118 1 Marc Mengel
    ForwardAgent true
119 1 Marc Mengel
  </pre>
120 1 Marc Mengel
121 1 Marc Mengel
  To make sure your ssh-agent connection is forwarded to cdcvs. Cygwin/NT users should instead set:
122 1 Marc Mengel
123 1 Marc Mengel
         CVS_RSH=ssh-cvs
124 1 Marc Mengel
125 1 Marc Mengel
  in their $HOME/.bashrc and make sure that their CVSROOT starts with :ext:.
126 1 Marc Mengel
127 1 Marc Mengel
  In any case, after adding these to your .login, .profile or .bashrc as appropriate, users should source the file, or log out and log back in.
128 1 Marc Mengel
129 1 Marc Mengel
* Send your $HOME/.ssh/id_dsa.pub file to the adminstrator of the cvs repository you are using, and have them append it to the $HOME/.ssh/authorized_keys file of the cvs repository account.
130 1 Marc Mengel
131 1 Marc Mengel
  Send it as an email attachment, so the very long text line doesn't get broken up at the wrong places.