Contents of /xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.5 - (hide annotations) (download) (as text)
Fri May 23 02:48:37 2008 UTC (9 years, 5 months ago) by robbat2
Branch: MAIN
Changes since 1.4: +3 -0 lines
File MIME type: application/xml
Add note about SSH keys being added by recruiters per bug 220685

1 klieber 1.1 <?xml version='1.0' encoding="UTF-8"?>
2     <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
4     <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
6     <guide link = "/proj/en/infrastructure/cvs-sshkeys.xml">
7     <title>SSH access to cvs.gentoo.org</title>
8     <author title="Author">
9     <mail link="swift@gentoo.org">Sven Vermeulen</mail>
10     </author>
11 robbat2 1.4 <author title="Author">
12     <mail link="robbat2@gentoo.org">Robin H. Johnson</mail>
13     </author>
14 klieber 1.1 <abstract>
15     This mini-guide explains on how to create and use ssh-keys, especially
16     for use on cvs.gentoo.org.
17     </abstract>
18 robbat2 1.4 <version>1.1</version>
19     <date>2007/12/24</date>
20 klieber 1.1
21     <chapter>
22     <title>SSH keys</title>
23     <section>
24     <title>Creating the SSH keys</title>
25     <body>
26     <p>
27     First of all, be physically logged on to your own computer. Make sure
28     that no-one will see you typing stuff in, since we are going to type in
29 klieber 1.2 passphrases and such. So get your pepperspray and fight all untrusted
30 klieber 1.1 entities until you are home alone.
31     </p>
32     <p>
33     Now we are going to create our ssh keys, DSA keys to be exact. Log onto
34     your computer as the user that you are going to be using when you want
35     to access cvs.gentoo.org. Then issue <c>ssh-keygen -t dsa</c>:
36     </p>
37     <pre caption = "Creating SSH keys">
38     $ <i>ssh-keygen -t dsa</i>
39     Generating public/private dsa key pair.
40     Enter file in which to save the key (/home/temp/.ssh/id_dsa): <comment>(Press enter)</comment>
41     Created directory '/home/temp/.ssh'.
42 klieber 1.2 Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment>
43     Enter same passphrase again: <comment>(Enter your passphrase again)</comment>
44 klieber 1.1 Your identification has been saved in /home/temp/.ssh/id_dsa.
45     Your public key has been saved in /home/temp/.ssh/id_dsa.pub.
46     The key fingerprint is:
47     85:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra
48     </pre>
49     <note>
50     Please be sure to set a strong passphrase on your private key. Ideally,
51     this passphrase should be at least 8 characters and contain a mixture of
52     letters, numbers and symbols.
53     </note>
54     <p>
55     Now wasn't that easy? Let's see what we have created:
56     </p>
57     <pre caption = "Created files">
58     # <i>ls ~/.ssh</i>
59     id_dsa id_dsa.pub
60     </pre>
61     <p>
62     You'll probably have more files than this, but the 2 files listed above
63     are the ones that are really important.
64     </p>
65     <p>
66     The first file, <path>id_dsa</path>, is your <e>private</e> key. Don't
67     distribute this amongst all people unless you want to get into a fight
68     with drobbins (no, you don't want that).
69     </p>
70     <warn>
71     If you have several (<e>trusted!</e>) hosts from which you want to
72     connect to cvs.gentoo.org, you should copy <path>id_dsa</path> to the
73     <path>~/.ssh</path> directories on those hosts.
74     </warn>
75     <p>
76     The second file, <path>id_dsa.pub</path>, is your <e>public</e> key.
77     Distribute this file amongst all hosts that you want to be able to
78     access through SSH pubkey authentification. This file should be appended
79     to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it
80     to your local host so you can connect to that one too if you have several
81     boxes.
82     </p>
83     <pre caption = "Adding the SSH key to the box">
84     $ <i>cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys</i>
85     </pre>
86     </body>
87     </section>
88     <section>
89 robbat2 1.4 <title>Installing your public key on a machine using LDAP authentication for SSH</title>
90     <body>
91 robbat2 1.5 <note>If you are a new developer, your recruiter will put your first SSH key
92     into LDAP, so that you can login. You can then add any additional SSH keys
93     yourself using the following procedure.</note>
94 robbat2 1.4 <p>
95     For most of the Gentoo infrastructure, we use LDAP to distribute user
96     information including SSH public keys. On these machines,
97     <path>~/.ssh/authorized_keys</path> should generally not contain your key.
98     </p>
99     <p>
100     Instead, you should place your public key into LDAP, using
101     <path>perl_ldap</path>, or <path>ldapmodify</path> directly.
102     The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP
103     guide</uri> describes this in more detail.
104     </p>
105     <pre caption = "Adding the SSH key with perl_ldap on dev.gentoo.org">
106     $ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_dsa.pub)" &lt;username&gt;</i>
107     </pre>
108     <warn>Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!</warn>
109     </body>
110     </section>
111     <section>
112 klieber 1.1 <title>Using keychain</title>
113     <body>
114     <p>
115     Every time you want to log on to a remote host using SSH public key
116 klieber 1.2 authentification, you will be asked to enter your passphrase. As much as
117 klieber 1.1 everybody likes typing, too much is sometimes too much. Luckily,
118     there is <c>keychain</c> to the rescue. There is an document on this
119 robbat2 1.4 one <uri link="/proj/en/keychain.xml">here</uri>,
120 klieber 1.1 but I'll give you a quick introduction.
121     </p>
122     <p>
123     First, install <c>keychain</c>:
124     </p>
125     <pre caption = "Installing keychain">
126     # <i>emerge keychain</i>
127     </pre>
128     <p>
129     Now have keychain load up your private ssh key when you log on to your
130     local box. To do so, add the following to <path>~/.bash_profile</path>.
131     Again, this should be done on your <e>local</e> machine where you work
132     at the Gentoo CVS.
133     </p>
134     <pre caption = "Add this to .bash_profile">
135     keychain ~/.ssh/id_dsa
136     . .keychain/<comment>hostname</comment>-sh
137     </pre>
138     <p>
139     Be sure to substitute <c>hostname</c> with your hostname.
140     </p>
141     </body>
142     </section>
143     </chapter>
144     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20