/[gentoo]/xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml
Gentoo

Contents of /xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.6 - (hide annotations) (download) (as text)
Mon Apr 26 19:24:11 2010 UTC (4 years, 3 months ago) by nightmorph
Branch: MAIN
Changes since 1.5: +60 -25 lines
File MIME type: application/xml
remove dead keychain project, replace with link to /doc/en/keychain-guide.xml. also went through the whole doc and edited for GuideXML code standards

1 klieber 1.1 <?xml version='1.0' encoding="UTF-8"?>
2     <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
3     <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4    
5 nightmorph 1.6 <guide>
6 klieber 1.1 <title>SSH access to cvs.gentoo.org</title>
7 nightmorph 1.6
8 klieber 1.1 <author title="Author">
9 nightmorph 1.6 <mail link="swift"/>
10 klieber 1.1 </author>
11 robbat2 1.4 <author title="Author">
12 nightmorph 1.6 <mail link="robbat2"/>
13     </author>
14     <author title="Editor">
15     <mail link="nightmorph"/>
16 robbat2 1.4 </author>
17 nightmorph 1.6
18 klieber 1.1 <abstract>
19     This mini-guide explains on how to create and use ssh-keys, especially
20     for use on cvs.gentoo.org.
21     </abstract>
22 nightmorph 1.6
23     <version>1.2</version>
24     <date>2010-04-26</date>
25 klieber 1.1
26     <chapter>
27     <title>SSH keys</title>
28     <section>
29     <title>Creating the SSH keys</title>
30     <body>
31 nightmorph 1.6
32 klieber 1.1 <p>
33     First of all, be physically logged on to your own computer. Make sure
34     that no-one will see you typing stuff in, since we are going to type in
35 klieber 1.2 passphrases and such. So get your pepperspray and fight all untrusted
36 klieber 1.1 entities until you are home alone.
37     </p>
38 nightmorph 1.6
39 klieber 1.1 <p>
40     Now we are going to create our ssh keys, DSA keys to be exact. Log onto
41     your computer as the user that you are going to be using when you want
42     to access cvs.gentoo.org. Then issue <c>ssh-keygen -t dsa</c>:
43     </p>
44 nightmorph 1.6
45     <pre caption="Creating SSH keys">
46 klieber 1.1 $ <i>ssh-keygen -t dsa</i>
47     Generating public/private dsa key pair.
48     Enter file in which to save the key (/home/temp/.ssh/id_dsa): <comment>(Press enter)</comment>
49     Created directory '/home/temp/.ssh'.
50 klieber 1.2 Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment>
51     Enter same passphrase again: <comment>(Enter your passphrase again)</comment>
52 klieber 1.1 Your identification has been saved in /home/temp/.ssh/id_dsa.
53     Your public key has been saved in /home/temp/.ssh/id_dsa.pub.
54     The key fingerprint is:
55     85:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra
56     </pre>
57 nightmorph 1.6
58 klieber 1.1 <note>
59     Please be sure to set a strong passphrase on your private key. Ideally,
60     this passphrase should be at least 8 characters and contain a mixture of
61     letters, numbers and symbols.
62     </note>
63 nightmorph 1.6
64 klieber 1.1 <p>
65     Now wasn't that easy? Let's see what we have created:
66     </p>
67 nightmorph 1.6
68     <pre caption="Created files">
69 klieber 1.1 # <i>ls ~/.ssh</i>
70     id_dsa id_dsa.pub
71     </pre>
72 nightmorph 1.6
73 klieber 1.1 <p>
74     You'll probably have more files than this, but the 2 files listed above
75     are the ones that are really important.
76     </p>
77 nightmorph 1.6
78 klieber 1.1 <p>
79     The first file, <path>id_dsa</path>, is your <e>private</e> key. Don't
80     distribute this amongst all people unless you want to get into a fight
81     with drobbins (no, you don't want that).
82     </p>
83 nightmorph 1.6
84 klieber 1.1 <warn>
85     If you have several (<e>trusted!</e>) hosts from which you want to
86     connect to cvs.gentoo.org, you should copy <path>id_dsa</path> to the
87     <path>~/.ssh</path> directories on those hosts.
88     </warn>
89 nightmorph 1.6
90 klieber 1.1 <p>
91     The second file, <path>id_dsa.pub</path>, is your <e>public</e> key.
92     Distribute this file amongst all hosts that you want to be able to
93     access through SSH pubkey authentification. This file should be appended
94     to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it
95     to your local host so you can connect to that one too if you have several
96     boxes.
97     </p>
98 nightmorph 1.6
99     <pre caption="Adding the SSH key to the box">
100 klieber 1.1 $ <i>cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys</i>
101     </pre>
102 nightmorph 1.6
103 klieber 1.1 </body>
104     </section>
105     <section>
106 nightmorph 1.6 <title>
107     Installing your public key on a machine using LDAP authentication for SSH
108     </title>
109 robbat2 1.4 <body>
110 nightmorph 1.6
111     <note>
112     If you are a new developer, your recruiter will put your first SSH key into
113     LDAP, so that you can login. You can then add any additional SSH keys yourself
114     using the following procedure.
115     </note>
116    
117 robbat2 1.4 <p>
118     For most of the Gentoo infrastructure, we use LDAP to distribute user
119     information including SSH public keys. On these machines,
120     <path>~/.ssh/authorized_keys</path> should generally not contain your key.
121     </p>
122 nightmorph 1.6
123 robbat2 1.4 <p>
124     Instead, you should place your public key into LDAP, using
125     <path>perl_ldap</path>, or <path>ldapmodify</path> directly.
126     The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP
127     guide</uri> describes this in more detail.
128     </p>
129 nightmorph 1.6
130     <pre caption="Adding the SSH key with perl_ldap on dev.gentoo.org">
131 robbat2 1.4 $ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_dsa.pub)" &lt;username&gt;</i>
132     </pre>
133 nightmorph 1.6
134     <warn>
135     Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!
136     </warn>
137    
138 robbat2 1.4 </body>
139     </section>
140     <section>
141 klieber 1.1 <title>Using keychain</title>
142     <body>
143 nightmorph 1.6
144 klieber 1.1 <p>
145     Every time you want to log on to a remote host using SSH public key
146 klieber 1.2 authentification, you will be asked to enter your passphrase. As much as
147 nightmorph 1.6 everybody likes typing, too much is sometimes too much. Luckily, there is
148     <c>keychain</c> to the rescue. There is an document on this one <uri
149     link="/doc/en/keychain-guide.xml">here</uri>, but I'll give you a quick
150     introduction.
151 klieber 1.1 </p>
152 nightmorph 1.6
153 klieber 1.1 <p>
154     First, install <c>keychain</c>:
155     </p>
156 nightmorph 1.6
157     <pre caption="Installing keychain">
158 klieber 1.1 # <i>emerge keychain</i>
159     </pre>
160 nightmorph 1.6
161 klieber 1.1 <p>
162 nightmorph 1.6 Now have keychain load up your private ssh key when you log on to your local
163     box. To do so, add the following to <path>~/.bash_profile</path>. Again, this
164     should be done on your <e>local</e> machine where you work at the Gentoo CVS.
165 klieber 1.1 </p>
166 nightmorph 1.6
167     <pre caption="Add this to .bash_profile">
168 klieber 1.1 keychain ~/.ssh/id_dsa
169     . .keychain/<comment>hostname</comment>-sh
170     </pre>
171 nightmorph 1.6
172 klieber 1.1 <p>
173     Be sure to substitute <c>hostname</c> with your hostname.
174     </p>
175 nightmorph 1.6
176 klieber 1.1 </body>
177     </section>
178     </chapter>
179     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20