en/infrastructure/cvs-sshkeys.xml

<?xml version='1.0' encoding="UTF-8"?>
<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

<guide>
<title>SSH access to cvs.gentoo.org</title>

<author title="Author">
  <mail link="swift"/>
</author>
<author title="Author">
  <mail link="robbat2"/>
</author>
<author title="Author">
  <mail link="antarus"/>
</author>
<author title="Editor">
  <mail link="nightmorph"/>
</author>

<abstract>
This mini-guide explains on how to create and use ssh-keys, especially
for use on cvs.gentoo.org.
</abstract>

<version>1.4</version>
<date>2012-05-28</date>

<chapter>
<title>SSH keys</title>
<section>
<title>Key Handling</title>
<body>
<p>
Your SSH keypair authenticates you to Gentoo Infrastructure. Properly
handling these keys is vital to keeping our machines safe. Please try to
follow these guidelines:
</p>

<ul>
  <li>Place your private keys <b>only</b> on machines you trust. This means only you have root
    on these machines and they are not shared with other users.
  </li>
  <li>Do not trust Gentoo Infrastructure. Do not place copies of your keys
    on Gentoo machines (like dev.gentoo.org.) You may forward your SSH agent
    through Gentoo managed machines if they are configured to allow users to
    agent forward (more on forwarding later.)
  </li>
  <li>Encrypt your keys with a strong passphrase. If you have trouble making
    a passphrase try emerge pwgen; pwgen -sB 25
  </li>
  <li>Do not access Gentoo infrastructure from untrusted machines such as business
    kiosks at hotels, internet cafes, or machines at computer conferences. Many of these machines
    are infected with malware.</li>
  <li>If you believe your keys were compromised, contact infrastructure immediately.
    You can do this via #gentoo-infra on irc.freenode.net or by emailing incidents@gentoo.org.
  </li>
  <li>Official hostkey fingerprints for Gentoo Infrastructure servers are
    available on the <uri link="/proj/en/infrastructure/server-specs"> server
    specifications </uri> page.
  </li>
</ul>
</body>
</section>
<section>
<title>Creating the SSH keys</title>
<body>

<p>
First of all, be physically logged on to your own computer. Make sure
that no-one will see you typing stuff in, since we are going to type in
passphrases and such. So get your pepperspray and fight all untrusted
entities until you are home alone.
</p>

<p>
Now we are going to create our ssh keys, RSA keys to be exact. The key should
be at least 2048 bits in length, but 4096 bits is recommended. Log onto
your computer as the user that you are going to be using when you want
to access cvs.gentoo.org. Then issue <c>ssh-keygen -t rsa -b 4096</c>:
</p>

<pre caption="Creating SSH keys">
$ <i>ssh-keygen -t rsa -b 4096</i>
Generating public/private rsa key pair.
Enter file in which to save the key (/home/temp/.ssh/id_rsa): <comment>(Press enter)</comment>
Created directory '/home/temp/.ssh'.
Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment>
Enter same passphrase again: <comment>(Enter your passphrase again)</comment>
Your identification has been saved in /home/temp/.ssh/id_rsa.
Your public key has been saved in /home/temp/.ssh/id_rsa.pub.
The key fingerprint is:
85:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 user@examplehost <comment>This is the fingerprint of your new key</comment>
</pre>

<note>
Please be sure to set a strong passphrase on your private key.  Ideally,
this passphrase should be at least eight characters and contain a mixture of
letters, numbers and symbols.
</note>

<warn>
Do not set an empty passphrase on your ssh key. If infra finds out this is the
case; your account will be suspended.
</warn>

<pre caption="Created files">
# <i>ls ~/.ssh</i>
id_rsa  id_rsa.pub
</pre>

<p>
You may have more files than this, but the two files listed above
are the ones that are really important.
</p>

<p>
The first file, <path>id_rsa</path>, is your <e>private</e> key. Don't
give this to anyone; never decrypt it on an untrusted machine. Gentoo Staff
will never ask you for a copy of your private key.
</p>

<warn>
Be very careful which machines you put your private key on. If you have
several (<e>trusted!</e>) hosts from which you want to connect to 
cvs.gentoo.org, you should copy <path>id_rsa</path> to the
<path>~/.ssh</path> directories on those hosts. Trusted machines are machines
that only you have root on; these machines are not shared with other users.
</warn>

<p>
The second file, <path>id_rsa.pub</path>, is your <e>public</e> key.
Distribute this file amongst all hosts that you want to be able to
access through SSH pubkey authentification. This file should be appended
to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it
to your local host so you can connect to that one too if you have several
boxes.
</p>

<pre caption="Adding the SSH key to the box">
$ <i>cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys</i>
</pre>

</body>
</section>
<section>
<title>
  Installing your public key on a machine using LDAP authentication for SSH
</title>
<body>

<note>
If you are a new developer, your recruiter will put your first SSH key into
LDAP, so that you can login. You can then add any additional SSH keys yourself
using the following procedure.
</note>

<note>
For most of the Gentoo infrastructure, we use LDAP to distribute user
information including SSH public keys. On these machines,
<path>~/.ssh/authorized_keys</path> should generally not contain your key.
</note>

<p>
You should place your public key into LDAP, using
<path>perl_ldap</path>, or <path>ldapmodify</path> directly.
The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP
guide</uri> describes this in more detail.
</p>

<pre caption="Adding the SSH key with perl_ldap on dev.gentoo.org">
$ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_rsa.pub)" &lt;username&gt;</i>
</pre>

<warn>
Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!
</warn>

</body>
</section>
<section>
<title>Using keychain</title>
<body>

<p>
Every time you want to log on to a remote host using SSH public key
authentification, you will be asked to enter your passphrase. As much as
everybody likes typing, too much is sometimes too much. Luckily, there is
<c>keychain</c> to the rescue. There is an document on this one <uri
link="/doc/en/keychain-guide.xml">here</uri>, but I'll give you a quick
introduction.
</p>

<p>
First, install <c>keychain</c>:
</p>

<pre caption="Installing keychain">
# <i>emerge keychain</i>
</pre>

<p>
Now have keychain load up your private ssh key when you log on to your local
box. To do so, add the following to <path>~/.bash_profile</path>.  Again, this
should be done on your <e>local</e> machine where you work at the Gentoo CVS.
</p>

<warn>
<b>NEVER</b> run keychain or decrypt your private key on an untrusted host.
</warn>

<pre caption="Add this to .bash_profile">
keychain ~/.ssh/id_rsa
. .keychain/<comment>hostname</comment>-sh
</pre>

<p>
Be sure to substitute <c>hostname</c> with your hostname.
</p>

</body>
</section>
</chapter>
</guide>
1	<?xml version='1.0' encoding="UTF-8"?>
2	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
3	<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4
5	<guide>
6	<title>SSH access to cvs.gentoo.org</title>
7
8	<author title="Author">
9	<mail link="swift"/>
10	</author>
11	<author title="Author">
12	<mail link="robbat2"/>
13	</author>
14	<author title="Author">
15	<mail link="antarus"/>
16	</author>
17	<author title="Editor">
18	<mail link="nightmorph"/>
19	</author>
20
21	<abstract>
22	This mini-guide explains on how to create and use ssh-keys, especially
23	for use on cvs.gentoo.org.
24	</abstract>
25
26	<version>1.4</version>
27	<date>2012-05-28</date>
28
29	<chapter>
30	<title>SSH keys</title>
31	<section>
32	<title>Key Handling</title>
33	<body>
34	<p>
35	Your SSH keypair authenticates you to Gentoo Infrastructure. Properly
36	handling these keys is vital to keeping our machines safe. Please try to
37	follow these guidelines:
38	</p>
39
40	<ul>
41	<li>Place your private keys <b>only</b> on machines you trust. This means only you have root
42	on these machines and they are not shared with other users.
43	</li>
44	<li>Do not trust Gentoo Infrastructure. Do not place copies of your keys
45	on Gentoo machines (like dev.gentoo.org.) You may forward your SSH agent
46	through Gentoo managed machines if they are configured to allow users to
47	agent forward (more on forwarding later.)
48	</li>
49	<li>Encrypt your keys with a strong passphrase. If you have trouble making
50	a passphrase try emerge pwgen; pwgen -sB 25
51	</li>
52	<li>Do not access Gentoo infrastructure from untrusted machines such as business
53	kiosks at hotels, internet cafes, or machines at computer conferences. Many of these machines
54	are infected with malware.</li>
55	<li>If you believe your keys were compromised, contact infrastructure immediately.
56	You can do this via #gentoo-infra on irc.freenode.net or by emailing incidents@gentoo.org.
57	</li>
58	<li>Official hostkey fingerprints for Gentoo Infrastructure servers are
59	available on the <uri link="/proj/en/infrastructure/server-specs"> server
60	specifications </uri> page.
61	</li>
62	</ul>
63	</body>
64	</section>
65	<section>
66	<title>Creating the SSH keys</title>
67	<body>
68
69	<p>
70	First of all, be physically logged on to your own computer. Make sure
71	that no-one will see you typing stuff in, since we are going to type in
72	passphrases and such. So get your pepperspray and fight all untrusted
73	entities until you are home alone.
74	</p>
75
76	<p>
77	Now we are going to create our ssh keys, RSA keys to be exact. The key should
78	be at least 2048 bits in length, but 4096 bits is recommended. Log onto
79	your computer as the user that you are going to be using when you want
80	to access cvs.gentoo.org. Then issue <c>ssh-keygen -t rsa -b 4096</c>:
81	</p>
82
83	<pre caption="Creating SSH keys">
84	$ <i>ssh-keygen -t rsa -b 4096</i>
85	Generating public/private rsa key pair.
86	Enter file in which to save the key (/home/temp/.ssh/id_rsa): <comment>(Press enter)</comment>
87	Created directory '/home/temp/.ssh'.
88	Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment>
89	Enter same passphrase again: <comment>(Enter your passphrase again)</comment>
90	Your identification has been saved in /home/temp/.ssh/id_rsa.
91	Your public key has been saved in /home/temp/.ssh/id_rsa.pub.
92	The key fingerprint is:
93	85:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 user@examplehost <comment>This is the fingerprint of your new key</comment>
94	</pre>
95
96	<note>
97	Please be sure to set a strong passphrase on your private key. Ideally,
98	this passphrase should be at least eight characters and contain a mixture of
99	letters, numbers and symbols.
100	</note>
101
102	<warn>
103	Do not set an empty passphrase on your ssh key. If infra finds out this is the
104	case; your account will be suspended.
105	</warn>
106
107	<pre caption="Created files">
108	# <i>ls ~/.ssh</i>
109	id_rsa id_rsa.pub
110	</pre>
111
112	<p>
113	You may have more files than this, but the two files listed above
114	are the ones that are really important.
115	</p>
116
117	<p>
118	The first file, <path>id_rsa</path>, is your <e>private</e> key. Don't
119	give this to anyone; never decrypt it on an untrusted machine. Gentoo Staff
120	will never ask you for a copy of your private key.
121	</p>
122
123	<warn>
124	Be very careful which machines you put your private key on. If you have
125	several (<e>trusted!</e>) hosts from which you want to connect to
126	cvs.gentoo.org, you should copy <path>id_rsa</path> to the
127	<path>~/.ssh</path> directories on those hosts. Trusted machines are machines
128	that only you have root on; these machines are not shared with other users.
129	</warn>
130
131	<p>
132	The second file, <path>id_rsa.pub</path>, is your <e>public</e> key.
133	Distribute this file amongst all hosts that you want to be able to
134	access through SSH pubkey authentification. This file should be appended
135	to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it
136	to your local host so you can connect to that one too if you have several
137	boxes.
138	</p>
139
140	<pre caption="Adding the SSH key to the box">
141	$ <i>cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys</i>
142	</pre>
143
144	</body>
145	</section>
146	<section>
147	<title>
148	Installing your public key on a machine using LDAP authentication for SSH
149	</title>
150	<body>
151
152	<note>
153	If you are a new developer, your recruiter will put your first SSH key into
154	LDAP, so that you can login. You can then add any additional SSH keys yourself
155	using the following procedure.
156	</note>
157
158	<note>
159	For most of the Gentoo infrastructure, we use LDAP to distribute user
160	information including SSH public keys. On these machines,
161	<path>~/.ssh/authorized_keys</path> should generally not contain your key.
162	</note>
163
164	<p>
165	You should place your public key into LDAP, using
166	<path>perl_ldap</path>, or <path>ldapmodify</path> directly.
167	The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP
168	guide</uri> describes this in more detail.
169	</p>
170
171	<pre caption="Adding the SSH key with perl_ldap on dev.gentoo.org">
172	$ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_rsa.pub)" <username></i>
173	</pre>
174
175	<warn>
176	Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!
177	</warn>
178
179	</body>
180	</section>
181	<section>
182	<title>Using keychain</title>
183	<body>
184
185	<p>
186	Every time you want to log on to a remote host using SSH public key
187	authentification, you will be asked to enter your passphrase. As much as
188	everybody likes typing, too much is sometimes too much. Luckily, there is
189	<c>keychain</c> to the rescue. There is an document on this one <uri
190	link="/doc/en/keychain-guide.xml">here</uri>, but I'll give you a quick
191	introduction.
192	</p>
193
194	<p>
195	First, install <c>keychain</c>:
196	</p>
197
198	<pre caption="Installing keychain">
199	# <i>emerge keychain</i>
200	</pre>
201
202	<p>
203	Now have keychain load up your private ssh key when you log on to your local
204	box. To do so, add the following to <path>~/.bash_profile</path>. Again, this
205	should be done on your <e>local</e> machine where you work at the Gentoo CVS.
206	</p>
207
208	<warn>
209	<b>NEVER</b> run keychain or decrypt your private key on an untrusted host.
210	</warn>
211
212	<pre caption="Add this to .bash_profile">
213	keychain ~/.ssh/id_rsa
214	. .keychain/<comment>hostname</comment>-sh
215	</pre>
216
217	<p>
218	Be sure to substitute <c>hostname</c> with your hostname.
219	</p>
220
221	</body>
222	</section>
223	</chapter>
224	</guide>