Project

General

Profile

Ssh notes » History » Version 7

Marc Mengel, 11/06/2013 12:10 PM

1 1 Marc Mengel
h1. Ssh notes
2 1 Marc Mengel
3 1 Marc Mengel
When using ssh to access repositories on cdcvs, you have pretty much two possibilities, 
4 1 Marc Mengel
authenticating with Kerberos, or with public key access.  Not configuring this right
5 1 Marc Mengel
tends to get you errors like:
6 1 Marc Mengel
7 3 Marc Mengel
* cvs check_access scripts telling you '"cvsuser" isn't allowed to commit to whatever'
8 1 Marc Mengel
9 3 Marc Mengel
* svn errors like:
10 3 Marc Mengel
  <pre>
11 3 Marc Mengel
 sh: -c: line 0: syntax error near unexpected token `('
12 3 Marc Mengel
 sh: -c: line 0: `svnserve --tunnel-user (null)  -t'
13 3 Marc Mengel
  </pre>
14 1 Marc Mengel
15 1 Marc Mengel
h2. kerberos configuration
16 1 Marc Mengel
17 1 Marc Mengel
To make sure your ssh client forwards credentials to make our who-is-this-user
18 1 Marc Mengel
scripts and restricted login shell happy, please add:
19 1 Marc Mengel
<pre>
20 1 Marc Mengel
host cdcvs.fnal.gov
21 1 Marc Mengel
 ForwardX11 = no
22 1 Marc Mengel
 GSSAPIAuthentication yes
23 1 Marc Mengel
 GSSAPIDelegateCredentials yes
24 1 Marc Mengel
</pre>
25 7 Marc Mengel
and on some newer systems 
26 5 Marc Mengel
<pre>
27 6 Marc Mengel
 GSSAPITrustDNS yes
28 1 Marc Mengel
</pre>
29 4 Marc Mengel
to your @$HOME/.ssh/config@ file and all should be well.  
30 4 Marc Mengel
31 4 Marc Mengel
...However if  you have problems:
32 4 Marc Mengel
33 4 Marc Mengel
The problem is usually the clock. Check that the UTC time from
34 4 Marc Mengel
<pre>   date -u </pre>
35 4 Marc Mengel
is correct.
36 4 Marc Mengel
37 4 Marc Mengel
Do you have a valid kerberos ticket ?
38 4 Marc Mengel
<pre>   klist -f</pre>
39 4 Marc Mengel
40 4 Marc Mengel
Do you have an addressless ticket, if working behind a NAT,as is often the case outside Fermilab ?
41 4 Marc Mengel
Look for the   A   flag in the klist -f  output. To get an addressless ticket:
42 4 Marc Mengel
<pre>        kinit -A </pre>
43 4 Marc Mengel
or
44 4 Marc Mengel
<pre>        kinit -n</pre>
45 4 Marc Mengel
depending on which kinit you have
46 4 Marc Mengel
47 4 Marc Mengel
Are you using an ssh which supports kerberized ssh ?
48 4 Marc Mengel
49 4 Marc Mengel
Are you using /usr/kerberos/bin/kinit, not the JRE or java version ?
50 4 Marc Mengel
<pre>    which kinit</pre>
51 4 Marc Mengel
52 4 Marc Mengel
You can override the .ssh/config with:
53 4 Marc Mengel
<pre>    ssh -o "GSSAPIAuthentication yes" -o "GSSAPIDelegateCredentials yes" ...</pre>
54 4 Marc Mengel
55 4 Marc Mengel
To debug the connection process, do
56 4 Marc Mengel
<pre>    ssh  -v</pre>
57 4 Marc Mengel
and for really full details,
58 4 Marc Mengel
<pre>    ssh -vvv </pre>
59 1 Marc Mengel
60 1 Marc Mengel
h2. public key access
61 1 Marc Mengel
62 1 Marc Mengel
63 1 Marc Mengel
* Make sure ssh is installed on your system. These instructions have been tested with openssh version 3.5, you can check what version you have by running
64 1 Marc Mengel
65 1 Marc Mengel
<pre>
66 1 Marc Mengel
      ssh -V
67 1 Marc Mengel
</pre>
68 1 Marc Mengel
69 1 Marc Mengel
* If you don't have one, create an ssh key pair, by running:
70 1 Marc Mengel
71 1 Marc Mengel
  <pre>
72 1 Marc Mengel
      ssh-keygen 
73 1 Marc Mengel
  </pre>
74 1 Marc Mengel
75 1 Marc Mengel
  It will ask you for a passphrase to keep your private key encrypted. Do not use your system password, etc. for this    passphrase, rather pick a nice long phrase, but one you can remember. You can change it later with
76 1 Marc Mengel
77 1 Marc Mengel
  <pre>
78 1 Marc Mengel
      ssh-keygen -p
79 1 Marc Mengel
  </pre>
80 1 Marc Mengel
81 1 Marc Mengel
  This will create $HOME/.ssh/id_dsa and $HOME/.ssh/id_dsa.pub, which are your private and public keys, respectively. You should copy these key files (or even your whole .ssh directory) to whatever computer accounts you have, so that you can establish your key authentication from that account.  And of course you should keep the id_dsa file readable only by you.
82 1 Marc Mengel
83 1 Marc Mengel
  Cygwin/NT users unfortunately currently must have a key with an empty passphrase (until certain Cygwin bugs are either fixed or worked around). They should use a separate key for their NT accounts than their others, and use directory/file permissions to keep the key file as safe as possible.
84 1 Marc Mengel
85 1 Marc Mengel
* If you haven't already, add this to your $HOME/.profile on your UNIX accounts (currently we cannot do this on Cygwin/NT).
86 1 Marc Mengel
87 1 Marc Mengel
  <pre>
88 1 Marc Mengel
          CVS_RSH=ssh
89 1 Marc Mengel
          export CVS_RSH
90 1 Marc Mengel
          if [ x$SSH_AUTH_SOCK = x ]
91 1 Marc Mengel
          then
92 1 Marc Mengel
              echo Doing ssh stuff...
93 1 Marc Mengel
              eval `ssh-agent`
94 1 Marc Mengel
              ssh-add
95 1 Marc Mengel
          fi
96 1 Marc Mengel
  </pre>         
97 1 Marc Mengel
98 1 Marc Mengel
  and this to your $HOME/.login
99 1 Marc Mengel
100 1 Marc Mengel
  <pre>
101 1 Marc Mengel
          setenv CVS_RSH ssh
102 1 Marc Mengel
          if ( ! $?SSH_AUTH_SOCK ) then
103 1 Marc Mengel
              echo Doing ssh stuff...
104 1 Marc Mengel
              eval `ssh-agent -c`
105 1 Marc Mengel
              ssh-add
106 1 Marc Mengel
          endif
107 1 Marc Mengel
          
108 1 Marc Mengel
  </pre>
109 1 Marc Mengel
110 1 Marc Mengel
  Finally, you may need, in your $HOME/.ssh/config file:
111 1 Marc Mengel
112 1 Marc Mengel
  <pre>
113 1 Marc Mengel
Host cdcvs.fnal.gov
114 1 Marc Mengel
    ForwardX11 = no
115 1 Marc Mengel
    ForwardAgent true
116 1 Marc Mengel
  </pre>
117 1 Marc Mengel
118 1 Marc Mengel
  To make sure your ssh-agent connection is forwarded to cdcvs. Cygwin/NT users should instead set:
119 1 Marc Mengel
120 1 Marc Mengel
         CVS_RSH=ssh-cvs
121 1 Marc Mengel
122 1 Marc Mengel
  in their $HOME/.bashrc and make sure that their CVSROOT starts with :ext:.
123 1 Marc Mengel
124 1 Marc Mengel
  In any case, after adding these to your .login, .profile or .bashrc as appropriate, users should source the file, or log out and log back in.
125 1 Marc Mengel
126 1 Marc Mengel
* Send your $HOME/.ssh/id_dsa.pub file to the adminstrator of the cvs repository you are using, and have them append it to the $HOME/.ssh/authorized_keys file of the cvs repository account.
127 1 Marc Mengel
128 1 Marc Mengel
  Send it as an email attachment, so the very long text line doesn't get broken up at the wrong places.