/[gentoo]/xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml
Gentoo

Diff of /xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.8 Revision 1.9
21<abstract> 21<abstract>
22This mini-guide explains on how to create and use ssh-keys, especially 22This mini-guide explains on how to create and use ssh-keys, especially
23for use on cvs.gentoo.org. 23for use on cvs.gentoo.org.
24</abstract> 24</abstract>
25 25
26<version>1.3</version> 26<version>1.4</version>
27<date>2011-10-14</date> 27<date>2012-05-28</date>
28 28
29<chapter> 29<chapter>
30<title>SSH keys</title> 30<title>SSH keys</title>
31<section> 31<section>
32<title>Key Handling</title> 32<title>Key Handling</title>
33<body> 33<body>
34<p> 34<p>
35Your SSH keypair authenticates you to Gentoo Infrastructure. Properly 35Your SSH keypair authenticates you to Gentoo Infrastructure. Properly
36handling these keys is vital to keeping our machines safe. Please try to 36handling these keys is vital to keeping our machines safe. Please try to
37follow these guidelines. 37follow these guidelines:
38</p> 38</p>
39 39
40<ul> 40<ul>
41 <li>Place your private keys <b>only</b> on machines you trust. This means only you have root 41 <li>Place your private keys <b>only</b> on machines you trust. This means only you have root
42 on these machines and they are not shared with other users. 42 on these machines and they are not shared with other users.
72passphrases and such. So get your pepperspray and fight all untrusted 72passphrases and such. So get your pepperspray and fight all untrusted
73entities until you are home alone. 73entities until you are home alone.
74</p> 74</p>
75 75
76<p> 76<p>
77Now we are going to create our ssh keys, DSA keys to be exact. Log onto 77Now we are going to create our ssh keys, RSA keys to be exact. The key should
78be at least 2048 bits in length, but 4096 bits is recommended. Log onto
78your computer as the user that you are going to be using when you want 79your computer as the user that you are going to be using when you want
79to access cvs.gentoo.org. Then issue <c>ssh-keygen -t dsa</c>: 80to access cvs.gentoo.org. Then issue <c>ssh-keygen -t rsa -b 4096</c>:
80</p> 81</p>
81 82
82<pre caption="Creating SSH keys"> 83<pre caption="Creating SSH keys">
83$ <i>ssh-keygen -t dsa</i> 84$ <i>ssh-keygen -t rsa -b 4096</i>
84Generating public/private dsa key pair. 85Generating public/private rsa key pair.
85Enter file in which to save the key (/home/temp/.ssh/id_dsa): <comment>(Press enter)</comment> 86Enter file in which to save the key (/home/temp/.ssh/id_rsa): <comment>(Press enter)</comment>
86Created directory '/home/temp/.ssh'. 87Created directory '/home/temp/.ssh'.
87Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment> 88Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment>
88Enter same passphrase again: <comment>(Enter your passphrase again)</comment> 89Enter same passphrase again: <comment>(Enter your passphrase again)</comment>
89Your identification has been saved in /home/temp/.ssh/id_dsa. 90Your identification has been saved in /home/temp/.ssh/id_rsa.
90Your public key has been saved in /home/temp/.ssh/id_dsa.pub. 91Your public key has been saved in /home/temp/.ssh/id_rsa.pub.
91The key fingerprint is: 92The key fingerprint is:
9285:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 user@examplehost <comment>This is the fingerprint of your new key</comment> 9385:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 user@examplehost <comment>This is the fingerprint of your new key</comment>
93</pre> 94</pre>
94 95
95<note> 96<note>
103case; your account will be suspended. 104case; your account will be suspended.
104</warn> 105</warn>
105 106
106<pre caption="Created files"> 107<pre caption="Created files">
107# <i>ls ~/.ssh</i> 108# <i>ls ~/.ssh</i>
108id_dsa id_dsa.pub 109id_rsa id_rsa.pub
109</pre> 110</pre>
110 111
111<p> 112<p>
112You may have more files than this, but the two files listed above 113You may have more files than this, but the two files listed above
113are the ones that are really important. 114are the ones that are really important.
114</p> 115</p>
115 116
116<p> 117<p>
117The first file, <path>id_dsa</path>, is your <e>private</e> key. Don't 118The first file, <path>id_rsa</path>, is your <e>private</e> key. Don't
118give this to anyone; never decrypt it on an untrusted machine. Gentoo Staff 119give this to anyone; never decrypt it on an untrusted machine. Gentoo Staff
119will never ask you for a copy of your private key. 120will never ask you for a copy of your private key.
120</p> 121</p>
121 122
122<warn> 123<warn>
123Be very careful which machines you put your private key on. If you have 124Be very careful which machines you put your private key on. If you have
124several (<e>trusted!</e>) hosts from which you want to connect to 125several (<e>trusted!</e>) hosts from which you want to connect to
125cvs.gentoo.org, you should copy <path>id_dsa</path> to the 126cvs.gentoo.org, you should copy <path>id_rsa</path> to the
126<path>~/.ssh</path> directories on those hosts. Trusted machines are machines 127<path>~/.ssh</path> directories on those hosts. Trusted machines are machines
127that only you have root on; these machines are not shared with other users. 128that only you have root on; these machines are not shared with other users.
128</warn> 129</warn>
129 130
130<p> 131<p>
131The second file, <path>id_dsa.pub</path>, is your <e>public</e> key. 132The second file, <path>id_rsa.pub</path>, is your <e>public</e> key.
132Distribute this file amongst all hosts that you want to be able to 133Distribute this file amongst all hosts that you want to be able to
133access through SSH pubkey authentification. This file should be appended 134access through SSH pubkey authentification. This file should be appended
134to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it 135to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it
135to your local host so you can connect to that one too if you have several 136to your local host so you can connect to that one too if you have several
136boxes. 137boxes.
137</p> 138</p>
138 139
139<pre caption="Adding the SSH key to the box"> 140<pre caption="Adding the SSH key to the box">
140$ <i>cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys</i> 141$ <i>cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys</i>
141</pre> 142</pre>
142 143
143</body> 144</body>
144</section> 145</section>
145<section> 146<section>
166The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP 167The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP
167guide</uri> describes this in more detail. 168guide</uri> describes this in more detail.
168</p> 169</p>
169 170
170<pre caption="Adding the SSH key with perl_ldap on dev.gentoo.org"> 171<pre caption="Adding the SSH key with perl_ldap on dev.gentoo.org">
171$ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_dsa.pub)" &lt;username&gt;</i> 172$ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_rsa.pub)" &lt;username&gt;</i>
172</pre> 173</pre>
173 174
174<warn> 175<warn>
175Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes! 176Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!
176</warn> 177</warn>
207<warn> 208<warn>
208<b>NEVER</b> run keychain or decrypt your private key on an untrusted host. 209<b>NEVER</b> run keychain or decrypt your private key on an untrusted host.
209</warn> 210</warn>
210 211
211<pre caption="Add this to .bash_profile"> 212<pre caption="Add this to .bash_profile">
212keychain ~/.ssh/id_dsa 213keychain ~/.ssh/id_rsa
213. .keychain/<comment>hostname</comment>-sh 214. .keychain/<comment>hostname</comment>-sh
214</pre> 215</pre>
215 216
216<p> 217<p>
217Be sure to substitute <c>hostname</c> with your hostname. 218Be sure to substitute <c>hostname</c> with your hostname.

Legend:
Removed from v.1.8  
changed lines
  Added in v.1.9

  ViewVC Help
Powered by ViewVC 1.1.20