/[gentoo]/xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml
Gentoo

Diff of /xml/htdocs/proj/en/infrastructure/cvs-sshkeys.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.6 Revision 1.7
1<?xml version='1.0' encoding="UTF-8"?> 1<?xml version='1.0' encoding="UTF-8"?>
2<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> 2<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> 3<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
4 4
5<guide> 5<guide>
6<title>SSH access to cvs.gentoo.org</title> 6<title>SSH access to cvs.gentoo.org</title>
7 7
8<author title="Author"> 8<author title="Author">
9 <mail link="swift"/> 9 <mail link="swift"/>
10</author> 10</author>
11<author title="Author"> 11<author title="Author">
12 <mail link="robbat2"/> 12 <mail link="robbat2"/>
13</author>
14<author title="Author">
15 <mail link="antarus"/>
13</author> 16</author>
14<author title="Editor"> 17<author title="Editor">
15 <mail link="nightmorph"/> 18 <mail link="nightmorph"/>
16</author> 19</author>
17 20
18<abstract> 21<abstract>
19This mini-guide explains on how to create and use ssh-keys, especially 22This mini-guide explains on how to create and use ssh-keys, especially
20for use on cvs.gentoo.org. 23for use on cvs.gentoo.org.
21</abstract> 24</abstract>
22 25
23<version>1.2</version> 26<version>1.3</version>
24<date>2010-04-26</date> 27<date>2011-10-14</date>
25 28
26<chapter> 29<chapter>
27<title>SSH keys</title> 30<title>SSH keys</title>
31<section>
32<title>Key Handling</title>
33<body>
34<p>
35Your SSH keypair authenticates you to Gentoo Infrastructure. Properly
36handling these keys is vital to keeping our machines safe. Please try to
37follow these guidelines.
38</p>
39
40<ul>
41 <li>Place your keys <b>only</b> on machines you trust. This means only you have root
42 on these machines and they are not shared with other users.
43 </li>
44 <li>Do not trust Gentoo Infrastructure. Do not place copies of your keys
45 on Gentoo machines (like dev.gentoo.org.) You may forward your SSH agent
46 through Gentoo managed machines if they are configured to allow users to
47 agent forward (more on forwarding later.)
48 </li>
49 <li>Encrypt your keys with a strong passphrase. If you have trouble making
50 a passphrase try emerge pwgen; pwgen -sB 25
51 </li>
52 <li>Do not access Gentoo infrastructure from untrusted machines such as business
53 kiosks at hotels, internet cafes, or machines at computer conferences. Many of these machines
54 are infected with malware.</li>
55 <li>If you believe your keys were compromised, contact infrastructure immediately.
56 You can do this via #gentoo-infra on irc.freenode.net or by emailing incidents@gentoo.org.
57 </li>
58</ul>
59</body>
60</section>
28<section> 61<section>
29<title>Creating the SSH keys</title> 62<title>Creating the SSH keys</title>
30<body> 63<body>
31 64
32<p> 65<p>
33First of all, be physically logged on to your own computer. Make sure 66First of all, be physically logged on to your own computer. Make sure
34that no-one will see you typing stuff in, since we are going to type in 67that no-one will see you typing stuff in, since we are going to type in
35passphrases and such. So get your pepperspray and fight all untrusted 68passphrases and such. So get your pepperspray and fight all untrusted
36entities until you are home alone. 69entities until you are home alone.
37</p> 70</p>
38 71
39<p> 72<p>
40Now we are going to create our ssh keys, DSA keys to be exact. Log onto 73Now we are going to create our ssh keys, DSA keys to be exact. Log onto
41your computer as the user that you are going to be using when you want 74your computer as the user that you are going to be using when you want
42to access cvs.gentoo.org. Then issue <c>ssh-keygen -t dsa</c>: 75to access cvs.gentoo.org. Then issue <c>ssh-keygen -t dsa</c>:
45<pre caption="Creating SSH keys"> 78<pre caption="Creating SSH keys">
46$ <i>ssh-keygen -t dsa</i> 79$ <i>ssh-keygen -t dsa</i>
47Generating public/private dsa key pair. 80Generating public/private dsa key pair.
48Enter file in which to save the key (/home/temp/.ssh/id_dsa): <comment>(Press enter)</comment> 81Enter file in which to save the key (/home/temp/.ssh/id_dsa): <comment>(Press enter)</comment>
49Created directory '/home/temp/.ssh'. 82Created directory '/home/temp/.ssh'.
50Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment> 83Enter passphrase (empty for no passphrase): <comment>(Enter your passphrase)</comment>
51Enter same passphrase again: <comment>(Enter your passphrase again)</comment> 84Enter same passphrase again: <comment>(Enter your passphrase again)</comment>
52Your identification has been saved in /home/temp/.ssh/id_dsa. 85Your identification has been saved in /home/temp/.ssh/id_dsa.
53Your public key has been saved in /home/temp/.ssh/id_dsa.pub. 86Your public key has been saved in /home/temp/.ssh/id_dsa.pub.
54The key fingerprint is: 87The key fingerprint is:
5585:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra 8885:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra
56</pre> 89</pre>
57 90
58<note> 91<note>
59Please be sure to set a strong passphrase on your private key. Ideally, 92Please be sure to set a strong passphrase on your private key. Ideally,
60this passphrase should be at least 8 characters and contain a mixture of 93this passphrase should be at least eight characters and contain a mixture of
61letters, numbers and symbols. 94letters, numbers and symbols.
62</note> 95</note>
63 96
64<p> 97<warn>
65Now wasn't that easy? Let's see what we have created: 98Do not set an empty passphrase on your ssh key. If infra finds out this is the
66</p> 99case; your account will be suspended.
100</warn>
67 101
68<pre caption="Created files"> 102<pre caption="Created files">
69# <i>ls ~/.ssh</i> 103# <i>ls ~/.ssh</i>
70id_dsa id_dsa.pub 104id_dsa id_dsa.pub
71</pre> 105</pre>
72 106
73<p> 107<p>
74You'll probably have more files than this, but the 2 files listed above 108You may have more files than this, but the two files listed above
75are the ones that are really important. 109are the ones that are really important.
76</p> 110</p>
77 111
78<p> 112<p>
79The first file, <path>id_dsa</path>, is your <e>private</e> key. Don't 113The first file, <path>id_dsa</path>, is your <e>private</e> key. Don't
80distribute this amongst all people unless you want to get into a fight 114give this to anyone; never decrypt it on an untrusted machine. Gentoo Staff
81with drobbins (no, you don't want that). 115will never ask you for a copy of your private key.
82</p> 116</p>
83 117
84<warn> 118<warn>
119Be very careful which machines you put your private key on. If you have
85If you have several (<e>trusted!</e>) hosts from which you want to 120several (<e>trusted!</e>) hosts from which you want to connect to
86connect to cvs.gentoo.org, you should copy <path>id_dsa</path> to the 121cvs.gentoo.org, you should copy <path>id_dsa</path> to the
87<path>~/.ssh</path> directories on those hosts. 122<path>~/.ssh</path> directories on those hosts. Trusted machines are machines
123that only you have root on; these machines are not shared with other users.
88</warn> 124</warn>
89 125
90<p> 126<p>
91The second file, <path>id_dsa.pub</path>, is your <e>public</e> key. 127The second file, <path>id_dsa.pub</path>, is your <e>public</e> key.
92Distribute this file amongst all hosts that you want to be able to 128Distribute this file amongst all hosts that you want to be able to
93access through SSH pubkey authentification. This file should be appended 129access through SSH pubkey authentification. This file should be appended
94to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it 130to <path>~/.ssh/authorized_keys</path> on those remote hosts. Also add it
95to your local host so you can connect to that one too if you have several 131to your local host so you can connect to that one too if you have several
96boxes. 132boxes.
97</p> 133</p>
98 134
99<pre caption="Adding the SSH key to the box"> 135<pre caption="Adding the SSH key to the box">
100$ <i>cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys</i> 136$ <i>cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys</i>
101</pre> 137</pre>
102 138
103</body> 139</body>
104</section> 140</section>
105<section> 141<section>
106<title> 142<title>
107 Installing your public key on a machine using LDAP authentication for SSH 143 Installing your public key on a machine using LDAP authentication for SSH
108</title> 144</title>
109<body> 145<body>
110 146
111<note> 147<note>
112If you are a new developer, your recruiter will put your first SSH key into 148If you are a new developer, your recruiter will put your first SSH key into
113LDAP, so that you can login. You can then add any additional SSH keys yourself 149LDAP, so that you can login. You can then add any additional SSH keys yourself
114using the following procedure. 150using the following procedure.
115</note> 151</note>
116 152
117<p> 153<note>
118For most of the Gentoo infrastructure, we use LDAP to distribute user 154For most of the Gentoo infrastructure, we use LDAP to distribute user
119information including SSH public keys. On these machines, 155information including SSH public keys. On these machines,
120<path>~/.ssh/authorized_keys</path> should generally not contain your key. 156<path>~/.ssh/authorized_keys</path> should generally not contain your key.
157</note>
158
121</p> 159<p>
122
123<p>
124Instead, you should place your public key into LDAP, using 160You should place your public key into LDAP, using
125<path>perl_ldap</path>, or <path>ldapmodify</path> directly. 161<path>perl_ldap</path>, or <path>ldapmodify</path> directly.
126The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP 162The Infrastructure <uri link="/proj/en/infrastructure/ldap.xml">LDAP
127guide</uri> describes this in more detail. 163guide</uri> describes this in more detail.
128</p> 164</p>
129 165
130<pre caption="Adding the SSH key with perl_ldap on dev.gentoo.org"> 166<pre caption="Adding the SSH key with perl_ldap on dev.gentoo.org">
131$ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_dsa.pub)" &lt;username&gt;</i> 167$ <i>perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_dsa.pub)" &lt;username&gt;</i>
132</pre> 168</pre>
133 169
134<warn> 170<warn>
135Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes! 171Each <path>sshPublicKey</path> attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!
136</warn> 172</warn>
137 173
138</body> 174</body>
139</section> 175</section>
152 188
153<p> 189<p>
154First, install <c>keychain</c>: 190First, install <c>keychain</c>:
155</p> 191</p>
156 192
157<pre caption="Installing keychain"> 193<pre caption="Installing keychain">
158# <i>emerge keychain</i> 194# <i>emerge keychain</i>
159</pre> 195</pre>
160 196
161<p> 197<p>
162Now have keychain load up your private ssh key when you log on to your local 198Now have keychain load up your private ssh key when you log on to your local
163box. To do so, add the following to <path>~/.bash_profile</path>. Again, this 199box. To do so, add the following to <path>~/.bash_profile</path>. Again, this
164should be done on your <e>local</e> machine where you work at the Gentoo CVS. 200should be done on your <e>local</e> machine where you work at the Gentoo CVS.
165</p> 201</p>
166 202
203<warn>
204<b>NEVER</b> run keychain or decrypt your private key on an untrusted host.
205</warn>
206
167<pre caption="Add this to .bash_profile"> 207<pre caption="Add this to .bash_profile">
168keychain ~/.ssh/id_dsa 208keychain ~/.ssh/id_dsa
169. .keychain/<comment>hostname</comment>-sh 209. .keychain/<comment>hostname</comment>-sh
170</pre> 210</pre>
171 211
172<p> 212<p>
173Be sure to substitute <c>hostname</c> with your hostname. 213Be sure to substitute <c>hostname</c> with your hostname.
174</p> 214</p>
175 215
176</body> 216</body>
177</section> 217</section>
178</chapter> 218</chapter>
179</guide> 219</guide>

Legend:
Removed from v.1.6  
changed lines
  Added in v.1.7

  ViewVC Help
Powered by ViewVC 1.1.20