Contents of /xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.7 - (show annotations) (download) (as text)
Fri Oct 14 07:56:34 2011 UTC (2 years, 6 months ago) by antarus
Branch: MAIN
Changes since 1.6: +55 -15 lines
File MIME type: application/xml
Try to be a bit more firm on key handling instructions. Frown on trusting dev.gentoo.org. Note that empty passphrases for ssh keys is a very bad offense.

1 <?xml version='1.0' encoding="UTF-8"?>
2 <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
3 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
5 <guide>
6 <title>SSH access to cvs.gentoo.org</title>
8 <author title="Author">
9 <mail link="swift"/>
10 </author>
11 <author title="Author">
12 <mail link="robbat2"/>
13 </author>
14 <author title="Author">
15 <mail link="antarus"/>
16 </author>
17 <author title="Editor">
18 <mail link="nightmorph"/>
19 </author>
21 <abstract>
22 This mini-guide explains on how to create and use ssh-keys, especially
23 for use on cvs.gentoo.org.
24 </abstract>
26 <version>1.3</version>
27 <date>2011-10-14</date>
29 <chapter>
30 <title>SSH keys</title>
31 <section>
32 <title>Key Handling</title>
33 <body>
34 <p>
35 Your SSH keypair authenticates you to Gentoo Infrastructure. Properly
36 handling these keys is vital to keeping our machines safe. Please try to
37 follow these guidelines.
38 </p>
40 <ul>
41 <li>Place your keys <b>only</b> on machines you trust. This means only you have root
42 on these machines and they are not shared with other users.
43 </li>
44 <li>Do not trust Gentoo Infrastructure. Do not place copies of your keys
45 on Gentoo machines (like dev.gentoo.org.) You may forward your SSH agent
46 through Gentoo managed machines if they are configured to allow users to
47 agent forward (more on forwarding later.)
48 </li>
49 <li>Encrypt your keys with a strong passphrase. If you have trouble making
50 a passphrase try emerge pwgen; pwgen -sB 25
51 </li>
52 <li>Do not access Gentoo infrastructure from untrusted machines such as business
53 kiosks at hotels, internet cafes, or machines at computer conferences. Many of these machines
54 are infected with malware.</li>
55 <li>If you believe your keys were compromised, contact infrastructure immediately.
56 You can do this via #gentoo-infra on irc.freenode.net or by emailing incidents@gentoo.org.
57 </li>
58 </ul>
59 </body>
60 </section>
61 <section>
62 <title>Creating the SSH keys</title>
63 <body>
65 <p>
66 First of all, be physically logged on to your own computer. Make sure
67 that no-one will see you typing stuff in, since we are going to type in
68 passphrases and such. So get your pepperspray and fight all untrusted
69 entities until you are home alone.
70 </p>
72 <p>
73 Now we are going to create our ssh keys, DSA keys to be exact. Log onto
74 your computer as the user that you are going to be using when you want
75 to access cvs.gentoo.org. Then issue <c>ssh-keygen -t dsa</c>:
76 </p>
78 <pre caption="Creating SSH keys">
79 $ <i>ssh-keygen -t dsa</i>
80 Generating public/private dsa key pair.
81 Enter file in which to save the key (/home/temp/.ssh/id_dsa): <comment>(Press enter)</comment>
82 Created directory '/home/temp/.ssh'.
83 Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment>
84 Enter same passphrase again: <comment>(Enter your passphrase again)</comment>
85 Your identification has been saved in /home/temp/.ssh/id_dsa.
86 Your public key has been saved in /home/temp/.ssh/id_dsa.pub.
87 The key fingerprint is:
88 85:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra
89 </pre>
91 <note>
92 Please be sure to set a strong passphrase on your private key. Ideally,
93 this passphrase should be at least eight characters and contain a mixture of
94 letters, numbers and symbols.
95 </note>
97 <warn>
98 Do not set an empty passphrase on your ssh key. If infra finds out this is the
99 case; your account will be suspended.
100 </warn>
102 <pre caption="Created files">
103 # <i>ls ~/.ssh</i>
104 id_dsa id_dsa.pub
105 </pre>
107 <p>
108 You may have more files than this, but the two files listed above
109 are the ones that are really important.
110 </p>
112 <p>
113 The first file, <path>id_dsa</path>, is your <e>private</e> key. Don't
114 give this to anyone; never decrypt it on an untrusted machine. Gentoo Staff
115 will never ask you for a copy of your private key.
116 </p>
118 <warn>
119 Be very careful which machines you put your private key on. If you have
120 several (<e>trusted!</e>) hosts from which you want to connect to
121 cvs.gentoo.org, you should copy <path>id_dsa</path> to the
122 <path>~/.ssh</path> directories on those hosts. Trusted machines are machines
123 that only you have root on; these machines are not shared with other users.
124 </warn>
126 <p>
127 The second file, <path>id_dsa.pub</path>, is your <e>public</e> key.
128 Distribute this file amongst all hosts that you want to be able to
129 access through SSH pubkey authentification. This file should be appended
130 to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it
131 to your local host so you can connect to that one too if you have several
132 boxes.
133 </p>
135 <pre caption="Adding the SSH key to the box">
136 $ <i>cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys</i>
137 </pre>
139 </body>
140 </section>
141 <section>
142 <title>
143 Installing your public key on a machine using LDAP authentication for SSH
144 </title>
145 <body>
147 <note>
148 If you are a new developer, your recruiter will put your first SSH key into
149 LDAP, so that you can login. You can then add any additional SSH keys yourself
150 using the following procedure.
151 </note>
153 <note>
154 For most of the Gentoo infrastructure, we use LDAP to distribute user
155 information including SSH public keys. On these machines,
156 <path>~/.ssh/authorized_keys</path> should generally not contain your key.
157 </note>
159 <p>
160 You should place your public key into LDAP, using
161 <path>perl_ldap</path>, or <path>ldapmodify</path> directly.
162 The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP
163 guide</uri> describes this in more detail.
164 </p>
166 <pre caption="Adding the SSH key with perl_ldap on dev.gentoo.org">
167 $ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_dsa.pub)" &lt;username&gt;</i>
168 </pre>
170 <warn>
171 Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!
172 </warn>
174 </body>
175 </section>
176 <section>
177 <title>Using keychain</title>
178 <body>
180 <p>
181 Every time you want to log on to a remote host using SSH public key
182 authentification, you will be asked to enter your passphrase. As much as
183 everybody likes typing, too much is sometimes too much. Luckily, there is
184 <c>keychain</c> to the rescue. There is an document on this one <uri
185 link="/doc/en/keychain-guide.xml">here</uri>, but I'll give you a quick
186 introduction.
187 </p>
189 <p>
190 First, install <c>keychain</c>:
191 </p>
193 <pre caption="Installing keychain">
194 # <i>emerge keychain</i>
195 </pre>
197 <p>
198 Now have keychain load up your private ssh key when you log on to your local
199 box. To do so, add the following to <path>~/.bash_profile</path>. Again, this
200 should be done on your <e>local</e> machine where you work at the Gentoo CVS.
201 </p>
203 <warn>
204 <b>NEVER</b> run keychain or decrypt your private key on an untrusted host.
205 </warn>
207 <pre caption="Add this to .bash_profile">
208 keychain ~/.ssh/id_dsa
209 . .keychain/<comment>hostname</comment>-sh
210 </pre>
212 <p>
213 Be sure to substitute <c>hostname</c> with your hostname.
214 </p>
216 </body>
217 </section>
218 </chapter>
219 </guide>

  ViewVC Help
Powered by ViewVC 1.1.20