SSH access to cvs.gentoo.org

1. SSH keys

First of all, be physically logged on to your own computer. Make sure that no-one will see you typing stuff in, since we are going to type in passphrases and such. So get your pepperspray and fight all untrusted entities until you are home alone.

Now we are going to create our ssh keys, DSA keys to be exact. Log onto your computer as the user that you are going to be using when you want to access cvs.gentoo.org. Then issue ssh-keygen -t dsa:

Code Listing 1.1: Creating SSH keys

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/temp/.ssh/id_dsa): (Press enter)
Created directory '/home/temp/.ssh'.
Enter passphrase (empty for no passphrase): (Enter your passphrase)
Enter same passphrase again: (Enter your passphrase again)
Your identification has been saved in /home/temp/.ssh/id_dsa.
Your public key has been saved in /home/temp/.ssh/id_dsa.pub.
The key fingerprint is:
85:35:81:a0:87:56:78:a2:da:53:6c:63:32:d1:34:48 temp@Niandra

Note: Please be sure to set a strong passphrase on your private key. Ideally, this passphrase should be at least 8 characters and contain a mixture of letters, numbers and symbols.

Now wasn't that easy? Let's see what we have created:

Code Listing 1.2: Created files

# ls ~/.ssh
id_dsa  id_dsa.pub

You'll probably have more files than this, but the 2 files listed above are the ones that are really important.

The first file, id_dsa, is your private key. Don't distribute this amongst all people unless you want to get into a fight with drobbins (no, you don't want that).

Warning: If you have several (trusted!) hosts from which you want to connect to cvs.gentoo.org, you should copy id_dsa to the ~/.ssh directories on those hosts.

The second file, id_dsa.pub, is your public key. Distribute this file amongst all hosts that you want to be able to access through SSH pubkey authentification. This file should be appended to ~/.ssh/authorized_keys on those remote hosts. Also add it to your local host so you can connect to that one too if you have several boxes.

Code Listing 1.3: Adding the SSH key to the box

$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

Installing your public key on a machine using LDAP authentication for SSH

Note: If you are a new developer, your recruiter will put your first SSH key into LDAP, so that you can login. You can then add any additional SSH keys yourself using the following procedure.

For most of the Gentoo infrastructure, we use LDAP to distribute user information including SSH public keys. On these machines, ~/.ssh/authorized_keys should generally not contain your key.

Instead, you should place your public key into LDAP, using perl_ldap, or ldapmodify directly. The Infrastructure LDAP guide describes this in more detail.

Code Listing 1.4: Adding the SSH key with perl_ldap on dev.gentoo.org

$ perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_dsa.pub)" <username>

Warning: Each sshPublicKey attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!

Using keychain

Every time you want to log on to a remote host using SSH public key authentification, you will be asked to enter your passphrase. As much as everybody likes typing, too much is sometimes too much. Luckily, there is keychain to the rescue. There is an document on this one here, but I'll give you a quick introduction.

First, install keychain:

Code Listing 1.5: Installing keychain

# emerge keychain

Now have keychain load up your private ssh key when you log on to your local box. To do so, add the following to ~/.bash_profile. Again, this should be done on your local machine where you work at the Gentoo CVS.

Code Listing 1.6: Add this to .bash_profile

keychain ~/.ssh/id_dsa
. .keychain/hostname-sh

Be sure to substitute hostname with your hostname.

Updated 2007/12/24

Summary: This mini-guide explains on how to create and use ssh-keys, especially for use on cvs.gentoo.org.

Sven Vermeulen
Author

Robin H. Johnson
Author

Donate to support our development efforts.