/[gentoo]/xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml
Gentoo

Diff of /xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.7 Revision 1.8
26<version>1.3</version> 26<version>1.3</version>
27<date>2011-10-14</date> 27<date>2011-10-14</date>
28 28
29<chapter> 29<chapter>
30<title>SSH keys</title> 30<title>SSH keys</title>
31<section> 31<section>
32<title>Key Handling</title> 32<title>Key Handling</title>
33<body> 33<body>
34<p> 34<p>
35Your SSH keypair authenticates you to Gentoo Infrastructure. Properly 35Your SSH keypair authenticates you to Gentoo Infrastructure. Properly
36handling these keys is vital to keeping our machines safe. Please try to 36handling these keys is vital to keeping our machines safe. Please try to
37follow these guidelines. 37follow these guidelines.
38</p> 38</p>
39 39
40<ul> 40<ul>
41 <li>Place your keys <b>only</b> on machines you trust. This means only you have root 41 <li>Place your private keys <b>only</b> on machines you trust. This means only you have root
42 on these machines and they are not shared with other users. 42 on these machines and they are not shared with other users.
43 </li> 43 </li>
44 <li>Do not trust Gentoo Infrastructure. Do not place copies of your keys 44 <li>Do not trust Gentoo Infrastructure. Do not place copies of your keys
45 on Gentoo machines (like dev.gentoo.org.) You may forward your SSH agent 45 on Gentoo machines (like dev.gentoo.org.) You may forward your SSH agent
46 through Gentoo managed machines if they are configured to allow users to 46 through Gentoo managed machines if they are configured to allow users to
47 agent forward (more on forwarding later.) 47 agent forward (more on forwarding later.)
48 </li> 48 </li>
49 <li>Encrypt your keys with a strong passphrase. If you have trouble making 49 <li>Encrypt your keys with a strong passphrase. If you have trouble making
50 a passphrase try emerge pwgen; pwgen -sB 25 50 a passphrase try emerge pwgen; pwgen -sB 25
51 </li> 51 </li>
52 <li>Do not access Gentoo infrastructure from untrusted machines such as business 52 <li>Do not access Gentoo infrastructure from untrusted machines such as business
53 kiosks at hotels, internet cafes, or machines at computer conferences. Many of these machines 53 kiosks at hotels, internet cafes, or machines at computer conferences. Many of these machines
54 are infected with malware.</li> 54 are infected with malware.</li>
55 <li>If you believe your keys were compromised, contact infrastructure immediately. 55 <li>If you believe your keys were compromised, contact infrastructure immediately.
56 You can do this via #gentoo-infra on irc.freenode.net or by emailing incidents@gentoo.org. 56 You can do this via #gentoo-infra on irc.freenode.net or by emailing incidents@gentoo.org.
57 </li>
58 <li>Official hostkey fingerprints for Gentoo Infrastructure servers are
59 available on the <uri link="/proj/en/infrastructure/server-specs"> server
60 specifications </uri> page.
57 </li> 61 </li>
58</ul> 62</ul>
59</body> 63</body>
60</section> 64</section>
61<section> 65<section>
62<title>Creating the SSH keys</title> 66<title>Creating the SSH keys</title>
63<body> 67<body>
64 68
65<p> 69<p>
66First of all, be physically logged on to your own computer. Make sure 70First of all, be physically logged on to your own computer. Make sure
67that no-one will see you typing stuff in, since we are going to type in 71that no-one will see you typing stuff in, since we are going to type in
68passphrases and such. So get your pepperspray and fight all untrusted 72passphrases and such. So get your pepperspray and fight all untrusted
69entities until you are home alone. 73entities until you are home alone.
70</p> 74</p>
71 75
73Now we are going to create our ssh keys, DSA keys to be exact. Log onto 77Now we are going to create our ssh keys, DSA keys to be exact. Log onto
74your computer as the user that you are going to be using when you want 78your computer as the user that you are going to be using when you want
75to access cvs.gentoo.org. Then issue <c>ssh-keygen -t dsa</c>: 79to access cvs.gentoo.org. Then issue <c>ssh-keygen -t dsa</c>:
76</p> 80</p>
77 81
78<pre caption="Creating SSH keys"> 82<pre caption="Creating SSH keys">
79$ <i>ssh-keygen -t dsa</i> 83$ <i>ssh-keygen -t dsa</i>
80Generating public/private dsa key pair. 84Generating public/private dsa key pair.
81Enter file in which to save the key (/home/temp/.ssh/id_dsa): <comment>(Press enter)</comment> 85Enter file in which to save the key (/home/temp/.ssh/id_dsa): <comment>(Press enter)</comment>
82Created directory '/home/temp/.ssh'. 86Created directory '/home/temp/.ssh'.
83Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment> 87Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment>
84Enter same passphrase again: <comment>(Enter your passphrase again)</comment> 88Enter same passphrase again: <comment>(Enter your passphrase again)</comment>
85Your identification has been saved in /home/temp/.ssh/id_dsa. 89Your identification has been saved in /home/temp/.ssh/id_dsa.
86Your public key has been saved in /home/temp/.ssh/id_dsa.pub. 90Your public key has been saved in /home/temp/.ssh/id_dsa.pub.
87The key fingerprint is: 91The key fingerprint is:
8885:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra 9285:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 user@examplehost <comment>This is the fingerprint of your new key</comment>
89</pre> 93</pre>
90 94
91<note> 95<note>
92Please be sure to set a strong passphrase on your private key. Ideally, 96Please be sure to set a strong passphrase on your private key. Ideally,
93this passphrase should be at least eight characters and contain a mixture of 97this passphrase should be at least eight characters and contain a mixture of
94letters, numbers and symbols. 98letters, numbers and symbols.
95</note> 99</note>
96 100
97<warn> 101<warn>
98Do not set an empty passphrase on your ssh key. If infra finds out this is the 102Do not set an empty passphrase on your ssh key. If infra finds out this is the
99case; your account will be suspended. 103case; your account will be suspended.
100</warn> 104</warn>
101 105
102<pre caption="Created files"> 106<pre caption="Created files">
103# <i>ls ~/.ssh</i> 107# <i>ls ~/.ssh</i>

Legend:
Removed from v.1.7  
changed lines
  Added in v.1.8

  ViewVC Help
Powered by ViewVC 1.1.20