/[gentoo]/xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml
Gentoo

Contents of /xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.7 - (hide annotations) (download) (as text)
Fri Oct 14 07:56:34 2011 UTC (4 years, 9 months ago) by antarus
Branch: MAIN
Changes since 1.6: +55 -15 lines
File MIME type: application/xml
Try to be a bit more firm on key handling instructions. Frown on trusting dev.gentoo.org. Note that empty passphrases for ssh keys is a very bad offense.

1 klieber 1.1 <?xml version='1.0' encoding="UTF-8"?>
2     <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
3     <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4    
5 nightmorph 1.6 <guide>
6 klieber 1.1 <title>SSH access to cvs.gentoo.org</title>
7 nightmorph 1.6
8 klieber 1.1 <author title="Author">
9 nightmorph 1.6 <mail link="swift"/>
10 klieber 1.1 </author>
11 robbat2 1.4 <author title="Author">
12 nightmorph 1.6 <mail link="robbat2"/>
13     </author>
14 antarus 1.7 <author title="Author">
15     <mail link="antarus"/>
16     </author>
17 nightmorph 1.6 <author title="Editor">
18     <mail link="nightmorph"/>
19 robbat2 1.4 </author>
20 nightmorph 1.6
21 klieber 1.1 <abstract>
22     This mini-guide explains on how to create and use ssh-keys, especially
23     for use on cvs.gentoo.org.
24     </abstract>
25 nightmorph 1.6
26 antarus 1.7 <version>1.3</version>
27     <date>2011-10-14</date>
28 klieber 1.1
29     <chapter>
30     <title>SSH keys</title>
31     <section>
32 antarus 1.7 <title>Key Handling</title>
33     <body>
34     <p>
35     Your SSH keypair authenticates you to Gentoo Infrastructure. Properly
36     handling these keys is vital to keeping our machines safe. Please try to
37     follow these guidelines.
38     </p>
39    
40     <ul>
41     <li>Place your keys <b>only</b> on machines you trust. This means only you have root
42     on these machines and they are not shared with other users.
43     </li>
44     <li>Do not trust Gentoo Infrastructure. Do not place copies of your keys
45     on Gentoo machines (like dev.gentoo.org.) You may forward your SSH agent
46     through Gentoo managed machines if they are configured to allow users to
47     agent forward (more on forwarding later.)
48     </li>
49     <li>Encrypt your keys with a strong passphrase. If you have trouble making
50     a passphrase try emerge pwgen; pwgen -sB 25
51     </li>
52     <li>Do not access Gentoo infrastructure from untrusted machines such as business
53     kiosks at hotels, internet cafes, or machines at computer conferences. Many of these machines
54     are infected with malware.</li>
55     <li>If you believe your keys were compromised, contact infrastructure immediately.
56     You can do this via #gentoo-infra on irc.freenode.net or by emailing incidents@gentoo.org.
57     </li>
58     </ul>
59     </body>
60     </section>
61     <section>
62 klieber 1.1 <title>Creating the SSH keys</title>
63     <body>
64 nightmorph 1.6
65 klieber 1.1 <p>
66     First of all, be physically logged on to your own computer. Make sure
67     that no-one will see you typing stuff in, since we are going to type in
68 klieber 1.2 passphrases and such. So get your pepperspray and fight all untrusted
69 klieber 1.1 entities until you are home alone.
70     </p>
71 nightmorph 1.6
72 klieber 1.1 <p>
73     Now we are going to create our ssh keys, DSA keys to be exact. Log onto
74     your computer as the user that you are going to be using when you want
75     to access cvs.gentoo.org. Then issue <c>ssh-keygen -t dsa</c>:
76     </p>
77 nightmorph 1.6
78     <pre caption="Creating SSH keys">
79 klieber 1.1 $ <i>ssh-keygen -t dsa</i>
80     Generating public/private dsa key pair.
81     Enter file in which to save the key (/home/temp/.ssh/id_dsa): <comment>(Press enter)</comment>
82     Created directory '/home/temp/.ssh'.
83 klieber 1.2 Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment>
84     Enter same passphrase again: <comment>(Enter your passphrase again)</comment>
85 klieber 1.1 Your identification has been saved in /home/temp/.ssh/id_dsa.
86     Your public key has been saved in /home/temp/.ssh/id_dsa.pub.
87     The key fingerprint is:
88     85:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra
89     </pre>
90 nightmorph 1.6
91 klieber 1.1 <note>
92     Please be sure to set a strong passphrase on your private key. Ideally,
93 antarus 1.7 this passphrase should be at least eight characters and contain a mixture of
94 klieber 1.1 letters, numbers and symbols.
95     </note>
96 nightmorph 1.6
97 antarus 1.7 <warn>
98     Do not set an empty passphrase on your ssh key. If infra finds out this is the
99     case; your account will be suspended.
100     </warn>
101 nightmorph 1.6
102     <pre caption="Created files">
103 klieber 1.1 # <i>ls ~/.ssh</i>
104     id_dsa id_dsa.pub
105     </pre>
106 nightmorph 1.6
107 klieber 1.1 <p>
108 antarus 1.7 You may have more files than this, but the two files listed above
109 klieber 1.1 are the ones that are really important.
110     </p>
111 nightmorph 1.6
112 klieber 1.1 <p>
113     The first file, <path>id_dsa</path>, is your <e>private</e> key. Don't
114 antarus 1.7 give this to anyone; never decrypt it on an untrusted machine. Gentoo Staff
115     will never ask you for a copy of your private key.
116 klieber 1.1 </p>
117 nightmorph 1.6
118 klieber 1.1 <warn>
119 antarus 1.7 Be very careful which machines you put your private key on. If you have
120     several (<e>trusted!</e>) hosts from which you want to connect to
121     cvs.gentoo.org, you should copy <path>id_dsa</path> to the
122     <path>~/.ssh</path> directories on those hosts. Trusted machines are machines
123     that only you have root on; these machines are not shared with other users.
124 klieber 1.1 </warn>
125 nightmorph 1.6
126 klieber 1.1 <p>
127     The second file, <path>id_dsa.pub</path>, is your <e>public</e> key.
128     Distribute this file amongst all hosts that you want to be able to
129     access through SSH pubkey authentification. This file should be appended
130     to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it
131     to your local host so you can connect to that one too if you have several
132     boxes.
133     </p>
134 nightmorph 1.6
135     <pre caption="Adding the SSH key to the box">
136 klieber 1.1 $ <i>cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys</i>
137     </pre>
138 nightmorph 1.6
139 klieber 1.1 </body>
140     </section>
141     <section>
142 nightmorph 1.6 <title>
143     Installing your public key on a machine using LDAP authentication for SSH
144     </title>
145 robbat2 1.4 <body>
146 nightmorph 1.6
147     <note>
148     If you are a new developer, your recruiter will put your first SSH key into
149     LDAP, so that you can login. You can then add any additional SSH keys yourself
150     using the following procedure.
151     </note>
152    
153 antarus 1.7 <note>
154 robbat2 1.4 For most of the Gentoo infrastructure, we use LDAP to distribute user
155     information including SSH public keys. On these machines,
156     <path>~/.ssh/authorized_keys</path> should generally not contain your key.
157 antarus 1.7 </note>
158 nightmorph 1.6
159 robbat2 1.4 <p>
160 antarus 1.7 You should place your public key into LDAP, using
161 robbat2 1.4 <path>perl_ldap</path>, or <path>ldapmodify</path> directly.
162     The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP
163     guide</uri> describes this in more detail.
164     </p>
165 nightmorph 1.6
166     <pre caption="Adding the SSH key with perl_ldap on dev.gentoo.org">
167 robbat2 1.4 $ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_dsa.pub)" &lt;username&gt;</i>
168     </pre>
169 nightmorph 1.6
170     <warn>
171     Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!
172     </warn>
173    
174 robbat2 1.4 </body>
175     </section>
176     <section>
177 klieber 1.1 <title>Using keychain</title>
178     <body>
179 nightmorph 1.6
180 klieber 1.1 <p>
181     Every time you want to log on to a remote host using SSH public key
182 klieber 1.2 authentification, you will be asked to enter your passphrase. As much as
183 nightmorph 1.6 everybody likes typing, too much is sometimes too much. Luckily, there is
184     <c>keychain</c> to the rescue. There is an document on this one <uri
185     link="/doc/en/keychain-guide.xml">here</uri>, but I'll give you a quick
186     introduction.
187 klieber 1.1 </p>
188 nightmorph 1.6
189 klieber 1.1 <p>
190     First, install <c>keychain</c>:
191     </p>
192 nightmorph 1.6
193     <pre caption="Installing keychain">
194 klieber 1.1 # <i>emerge keychain</i>
195     </pre>
196 nightmorph 1.6
197 klieber 1.1 <p>
198 nightmorph 1.6 Now have keychain load up your private ssh key when you log on to your local
199     box. To do so, add the following to <path>~/.bash_profile</path>. Again, this
200     should be done on your <e>local</e> machine where you work at the Gentoo CVS.
201 klieber 1.1 </p>
202 nightmorph 1.6
203 antarus 1.7 <warn>
204     <b>NEVER</b> run keychain or decrypt your private key on an untrusted host.
205     </warn>
206    
207 nightmorph 1.6 <pre caption="Add this to .bash_profile">
208 klieber 1.1 keychain ~/.ssh/id_dsa
209     . .keychain/<comment>hostname</comment>-sh
210     </pre>
211 nightmorph 1.6
212 klieber 1.1 <p>
213     Be sure to substitute <c>hostname</c> with your hostname.
214     </p>
215 nightmorph 1.6
216 klieber 1.1 </body>
217     </section>
218     </chapter>
219     </guide>

  ViewVC Help
Powered by ViewVC 1.1.20