/[gentoo]/xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml
Gentoo

Diff of /xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.5 Revision 1.6
1<?xml version='1.0' encoding="UTF-8"?> 1<?xml version='1.0' encoding="UTF-8"?>
2<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> 2<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
3
4<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> 3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
5 4
6<guide link = "/proj/en/infrastructure/cvs-sshkeys.xml"> 5<guide>
7<title>SSH access to cvs.gentoo.org</title> 6<title>SSH access to cvs.gentoo.org</title>
7
8<author title="Author"> 8<author title="Author">
9 <mail link="swift@gentoo.org">Sven Vermeulen</mail> 9 <mail link="swift"/>
10</author> 10</author>
11<author title="Author"> 11<author title="Author">
12 <mail link="robbat2@gentoo.org">Robin H. Johnson</mail> 12 <mail link="robbat2"/>
13</author> 13</author>
14<author title="Editor">
15 <mail link="nightmorph"/>
16</author>
17
14<abstract> 18<abstract>
15This mini-guide explains on how to create and use ssh-keys, especially 19This mini-guide explains on how to create and use ssh-keys, especially
16for use on cvs.gentoo.org. 20for use on cvs.gentoo.org.
17</abstract> 21</abstract>
22
18<version>1.1</version> 23<version>1.2</version>
19<date>2007/12/24</date> 24<date>2010-04-26</date>
20 25
21<chapter> 26<chapter>
22<title>SSH keys</title> 27<title>SSH keys</title>
23<section> 28<section>
24<title>Creating the SSH keys</title> 29<title>Creating the SSH keys</title>
25<body> 30<body>
31
26<p> 32<p>
27First of all, be physically logged on to your own computer. Make sure 33First of all, be physically logged on to your own computer. Make sure
28that no-one will see you typing stuff in, since we are going to type in 34that no-one will see you typing stuff in, since we are going to type in
29passphrases and such. So get your pepperspray and fight all untrusted 35passphrases and such. So get your pepperspray and fight all untrusted
30entities until you are home alone. 36entities until you are home alone.
31</p> 37</p>
38
32<p> 39<p>
33Now we are going to create our ssh keys, DSA keys to be exact. Log onto 40Now we are going to create our ssh keys, DSA keys to be exact. Log onto
34your computer as the user that you are going to be using when you want 41your computer as the user that you are going to be using when you want
35to access cvs.gentoo.org. Then issue <c>ssh-keygen -t dsa</c>: 42to access cvs.gentoo.org. Then issue <c>ssh-keygen -t dsa</c>:
36</p> 43</p>
44
37<pre caption = "Creating SSH keys"> 45<pre caption="Creating SSH keys">
38$ <i>ssh-keygen -t dsa</i> 46$ <i>ssh-keygen -t dsa</i>
39Generating public/private dsa key pair. 47Generating public/private dsa key pair.
40Enter file in which to save the key (/home/temp/.ssh/id_dsa): <comment>(Press enter)</comment> 48Enter file in which to save the key (/home/temp/.ssh/id_dsa): <comment>(Press enter)</comment>
41Created directory '/home/temp/.ssh'. 49Created directory '/home/temp/.ssh'.
42Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment> 50Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment>
43Enter same passphrase again: <comment>(Enter your passphrase again)</comment> 51Enter same passphrase again: <comment>(Enter your passphrase again)</comment>
44Your identification has been saved in /home/temp/.ssh/id_dsa. 52Your identification has been saved in /home/temp/.ssh/id_dsa.
45Your public key has been saved in /home/temp/.ssh/id_dsa.pub. 53Your public key has been saved in /home/temp/.ssh/id_dsa.pub.
46The key fingerprint is: 54The key fingerprint is:
4785:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra 5585:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra
48</pre> 56</pre>
57
49<note> 58<note>
50Please be sure to set a strong passphrase on your private key. Ideally, 59Please be sure to set a strong passphrase on your private key. Ideally,
51this passphrase should be at least 8 characters and contain a mixture of 60this passphrase should be at least 8 characters and contain a mixture of
52letters, numbers and symbols. 61letters, numbers and symbols.
53</note> 62</note>
63
54<p> 64<p>
55Now wasn't that easy? Let's see what we have created: 65Now wasn't that easy? Let's see what we have created:
56</p> 66</p>
67
57<pre caption = "Created files"> 68<pre caption="Created files">
58# <i>ls ~/.ssh</i> 69# <i>ls ~/.ssh</i>
59id_dsa id_dsa.pub 70id_dsa id_dsa.pub
60</pre> 71</pre>
72
61<p> 73<p>
62You'll probably have more files than this, but the 2 files listed above 74You'll probably have more files than this, but the 2 files listed above
63are the ones that are really important. 75are the ones that are really important.
64</p> 76</p>
77
65<p> 78<p>
66The first file, <path>id_dsa</path>, is your <e>private</e> key. Don't 79The first file, <path>id_dsa</path>, is your <e>private</e> key. Don't
67distribute this amongst all people unless you want to get into a fight 80distribute this amongst all people unless you want to get into a fight
68with drobbins (no, you don't want that). 81with drobbins (no, you don't want that).
69</p> 82</p>
83
70<warn> 84<warn>
71If you have several (<e>trusted!</e>) hosts from which you want to 85If you have several (<e>trusted!</e>) hosts from which you want to
72connect to cvs.gentoo.org, you should copy <path>id_dsa</path> to the 86connect to cvs.gentoo.org, you should copy <path>id_dsa</path> to the
73<path>~/.ssh</path> directories on those hosts. 87<path>~/.ssh</path> directories on those hosts.
74</warn> 88</warn>
89
75<p> 90<p>
76The second file, <path>id_dsa.pub</path>, is your <e>public</e> key. 91The second file, <path>id_dsa.pub</path>, is your <e>public</e> key.
77Distribute this file amongst all hosts that you want to be able to 92Distribute this file amongst all hosts that you want to be able to
78access through SSH pubkey authentification. This file should be appended 93access through SSH pubkey authentification. This file should be appended
79to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it 94to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it
80to your local host so you can connect to that one too if you have several 95to your local host so you can connect to that one too if you have several
81boxes. 96boxes.
82</p> 97</p>
98
83<pre caption = "Adding the SSH key to the box"> 99<pre caption="Adding the SSH key to the box">
84$ <i>cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys</i> 100$ <i>cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys</i>
85</pre> 101</pre>
102
86</body> 103</body>
87</section> 104</section>
88<section> 105<section>
106<title>
89<title>Installing your public key on a machine using LDAP authentication for SSH</title> 107 Installing your public key on a machine using LDAP authentication for SSH
108</title>
90<body> 109<body>
110
111<note>
91<note>If you are a new developer, your recruiter will put your first SSH key 112If you are a new developer, your recruiter will put your first SSH key into
92into LDAP, so that you can login. You can then add any additional SSH keys 113LDAP, so that you can login. You can then add any additional SSH keys yourself
93yourself using the following procedure.</note> 114using the following procedure.
115</note>
116
94<p> 117<p>
95For most of the Gentoo infrastructure, we use LDAP to distribute user 118For most of the Gentoo infrastructure, we use LDAP to distribute user
96information including SSH public keys. On these machines, 119information including SSH public keys. On these machines,
97<path>~/.ssh/authorized_keys</path> should generally not contain your key. 120<path>~/.ssh/authorized_keys</path> should generally not contain your key.
98</p> 121</p>
122
99<p> 123<p>
100Instead, you should place your public key into LDAP, using 124Instead, you should place your public key into LDAP, using
101<path>perl_ldap</path>, or <path>ldapmodify</path> directly. 125<path>perl_ldap</path>, or <path>ldapmodify</path> directly.
102The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP 126The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP
103guide</uri> describes this in more detail. 127guide</uri> describes this in more detail.
104</p> 128</p>
129
105<pre caption = "Adding the SSH key with perl_ldap on dev.gentoo.org"> 130<pre caption="Adding the SSH key with perl_ldap on dev.gentoo.org">
106$ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_dsa.pub)" &lt;username&gt;</i> 131$ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_dsa.pub)" &lt;username&gt;</i>
107</pre> 132</pre>
133
134<warn>
108<warn>Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!</warn> 135Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!
136</warn>
137
109</body> 138</body>
110</section> 139</section>
111<section> 140<section>
112<title>Using keychain</title> 141<title>Using keychain</title>
113<body> 142<body>
143
114<p> 144<p>
115Every time you want to log on to a remote host using SSH public key 145Every time you want to log on to a remote host using SSH public key
116authentification, you will be asked to enter your passphrase. As much as 146authentification, you will be asked to enter your passphrase. As much as
117everybody likes typing, too much is sometimes too much. Luckily, 147everybody likes typing, too much is sometimes too much. Luckily, there is
118there is <c>keychain</c> to the rescue. There is an document on this 148<c>keychain</c> to the rescue. There is an document on this one <uri
119one <uri link="/proj/en/keychain.xml">here</uri>, 149link="/doc/en/keychain-guide.xml">here</uri>, but I'll give you a quick
120but I'll give you a quick introduction. 150introduction.
121</p> 151</p>
152
122<p> 153<p>
123First, install <c>keychain</c>: 154First, install <c>keychain</c>:
124</p> 155</p>
156
125<pre caption = "Installing keychain"> 157<pre caption="Installing keychain">
126# <i>emerge keychain</i> 158# <i>emerge keychain</i>
127</pre> 159</pre>
160
128<p> 161<p>
129Now have keychain load up your private ssh key when you log on to your 162Now have keychain load up your private ssh key when you log on to your local
130local box. To do so, add the following to <path>~/.bash_profile</path>. 163box. To do so, add the following to <path>~/.bash_profile</path>. Again, this
131Again, this should be done on your <e>local</e> machine where you work 164should be done on your <e>local</e> machine where you work at the Gentoo CVS.
132at the Gentoo CVS.
133</p> 165</p>
166
134<pre caption = "Add this to .bash_profile"> 167<pre caption="Add this to .bash_profile">
135keychain ~/.ssh/id_dsa 168keychain ~/.ssh/id_dsa
136. .keychain/<comment>hostname</comment>-sh 169. .keychain/<comment>hostname</comment>-sh
137</pre> 170</pre>
171
138<p> 172<p>
139Be sure to substitute <c>hostname</c> with your hostname. 173Be sure to substitute <c>hostname</c> with your hostname.
140</p> 174</p>
175
141</body> 176</body>
142</section> 177</section>
143</chapter> 178</chapter>
144</guide> 179</guide>

Legend:
Removed from v.1.5  
changed lines
  Added in v.1.6

  ViewVC Help
Powered by ViewVC 1.1.20