/[gentoo]/xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml
Gentoo

Diff of /xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.6 Revision 1.7
8<author title="Author"> 8<author title="Author">
9 <mail link="swift"/> 9 <mail link="swift"/>
10</author> 10</author>
11<author title="Author"> 11<author title="Author">
12 <mail link="robbat2"/> 12 <mail link="robbat2"/>
13</author>
14<author title="Author">
15 <mail link="antarus"/>
13</author> 16</author>
14<author title="Editor"> 17<author title="Editor">
15 <mail link="nightmorph"/> 18 <mail link="nightmorph"/>
16</author> 19</author>
17 20
18<abstract> 21<abstract>
19This mini-guide explains on how to create and use ssh-keys, especially 22This mini-guide explains on how to create and use ssh-keys, especially
20for use on cvs.gentoo.org. 23for use on cvs.gentoo.org.
21</abstract> 24</abstract>
22 25
23<version>1.2</version> 26<version>1.3</version>
24<date>2010-04-26</date> 27<date>2011-10-14</date>
25 28
26<chapter> 29<chapter>
27<title>SSH keys</title> 30<title>SSH keys</title>
31<section>
32<title>Key Handling</title>
33<body>
34<p>
35Your SSH keypair authenticates you to Gentoo Infrastructure. Properly
36handling these keys is vital to keeping our machines safe. Please try to
37follow these guidelines.
38</p>
39
40<ul>
41 <li>Place your keys <b>only</b> on machines you trust. This means only you have root
42 on these machines and they are not shared with other users.
43 </li>
44 <li>Do not trust Gentoo Infrastructure. Do not place copies of your keys
45 on Gentoo machines (like dev.gentoo.org.) You may forward your SSH agent
46 through Gentoo managed machines if they are configured to allow users to
47 agent forward (more on forwarding later.)
48 </li>
49 <li>Encrypt your keys with a strong passphrase. If you have trouble making
50 a passphrase try emerge pwgen; pwgen -sB 25
51 </li>
52 <li>Do not access Gentoo infrastructure from untrusted machines such as business
53 kiosks at hotels, internet cafes, or machines at computer conferences. Many of these machines
54 are infected with malware.</li>
55 <li>If you believe your keys were compromised, contact infrastructure immediately.
56 You can do this via #gentoo-infra on irc.freenode.net or by emailing incidents@gentoo.org.
57 </li>
58</ul>
59</body>
60</section>
28<section> 61<section>
29<title>Creating the SSH keys</title> 62<title>Creating the SSH keys</title>
30<body> 63<body>
31 64
32<p> 65<p>
5585:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra 8885:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra
56</pre> 89</pre>
57 90
58<note> 91<note>
59Please be sure to set a strong passphrase on your private key. Ideally, 92Please be sure to set a strong passphrase on your private key. Ideally,
60this passphrase should be at least 8 characters and contain a mixture of 93this passphrase should be at least eight characters and contain a mixture of
61letters, numbers and symbols. 94letters, numbers and symbols.
62</note> 95</note>
63 96
64<p> 97<warn>
65Now wasn't that easy? Let's see what we have created: 98Do not set an empty passphrase on your ssh key. If infra finds out this is the
66</p> 99case; your account will be suspended.
100</warn>
67 101
68<pre caption="Created files"> 102<pre caption="Created files">
69# <i>ls ~/.ssh</i> 103# <i>ls ~/.ssh</i>
70id_dsa id_dsa.pub 104id_dsa id_dsa.pub
71</pre> 105</pre>
72 106
73<p> 107<p>
74You'll probably have more files than this, but the 2 files listed above 108You may have more files than this, but the two files listed above
75are the ones that are really important. 109are the ones that are really important.
76</p> 110</p>
77 111
78<p> 112<p>
79The first file, <path>id_dsa</path>, is your <e>private</e> key. Don't 113The first file, <path>id_dsa</path>, is your <e>private</e> key. Don't
80distribute this amongst all people unless you want to get into a fight 114give this to anyone; never decrypt it on an untrusted machine. Gentoo Staff
81with drobbins (no, you don't want that). 115will never ask you for a copy of your private key.
82</p> 116</p>
83 117
84<warn> 118<warn>
119Be very careful which machines you put your private key on. If you have
85If you have several (<e>trusted!</e>) hosts from which you want to 120several (<e>trusted!</e>) hosts from which you want to connect to
86connect to cvs.gentoo.org, you should copy <path>id_dsa</path> to the 121cvs.gentoo.org, you should copy <path>id_dsa</path> to the
87<path>~/.ssh</path> directories on those hosts. 122<path>~/.ssh</path> directories on those hosts. Trusted machines are machines
123that only you have root on; these machines are not shared with other users.
88</warn> 124</warn>
89 125
90<p> 126<p>
91The second file, <path>id_dsa.pub</path>, is your <e>public</e> key. 127The second file, <path>id_dsa.pub</path>, is your <e>public</e> key.
92Distribute this file amongst all hosts that you want to be able to 128Distribute this file amongst all hosts that you want to be able to
112If you are a new developer, your recruiter will put your first SSH key into 148If you are a new developer, your recruiter will put your first SSH key into
113LDAP, so that you can login. You can then add any additional SSH keys yourself 149LDAP, so that you can login. You can then add any additional SSH keys yourself
114using the following procedure. 150using the following procedure.
115</note> 151</note>
116 152
117<p> 153<note>
118For most of the Gentoo infrastructure, we use LDAP to distribute user 154For most of the Gentoo infrastructure, we use LDAP to distribute user
119information including SSH public keys. On these machines, 155information including SSH public keys. On these machines,
120<path>~/.ssh/authorized_keys</path> should generally not contain your key. 156<path>~/.ssh/authorized_keys</path> should generally not contain your key.
157</note>
158
121</p> 159<p>
122
123<p>
124Instead, you should place your public key into LDAP, using 160You should place your public key into LDAP, using
125<path>perl_ldap</path>, or <path>ldapmodify</path> directly. 161<path>perl_ldap</path>, or <path>ldapmodify</path> directly.
126The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP 162The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP
127guide</uri> describes this in more detail. 163guide</uri> describes this in more detail.
128</p> 164</p>
129 165
162Now have keychain load up your private ssh key when you log on to your local 198Now have keychain load up your private ssh key when you log on to your local
163box. To do so, add the following to <path>~/.bash_profile</path>. Again, this 199box. To do so, add the following to <path>~/.bash_profile</path>. Again, this
164should be done on your <e>local</e> machine where you work at the Gentoo CVS. 200should be done on your <e>local</e> machine where you work at the Gentoo CVS.
165</p> 201</p>
166 202
203<warn>
204<b>NEVER</b> run keychain or decrypt your private key on an untrusted host.
205</warn>
206
167<pre caption="Add this to .bash_profile"> 207<pre caption="Add this to .bash_profile">
168keychain ~/.ssh/id_dsa 208keychain ~/.ssh/id_dsa
169. .keychain/<comment>hostname</comment>-sh 209. .keychain/<comment>hostname</comment>-sh
170</pre> 210</pre>
171 211

Legend:
Removed from v.1.6  
changed lines
  Added in v.1.7

  ViewVC Help
Powered by ViewVC 1.1.20