Avoiding repeating passwords

This page outlines how you can use ssh keys to avoid typing your word many times (8 times for a cmt co of an ATLAS package!)

Follow the instructions here, for using SSH keys for CVS access. (A backup of the instructions is repeated below...)

Note that you will have to do

eval `ssh-agent`
ssh-add

at least once per machine you are working on, which caches your valid keys.

And I recommomend the following for your .ssh/config, rather than what CERN lists:

Host *plus.cern.ch *plus
Protocol 2
PubkeyAuthentication no
PasswordAuthentication yes

Host atlas-sw.cern.ch atlas-sw isscvs.cern.ch isscvs
Protocol 2
ForwardX11 no
IdentityFile ~/.ssh/id_rsa


Backup of the SSH2 instructions:

# Configuring SSH access from Linux/Unix

SSH2 protocol now is used for authentication, but SSH1 will still work for a while. If you want to access the Central CVS Service using SSH from your Linux/Unix machine without providing password each time, follow these instructions:

   1. Log on to your Linux/Unix machine
   2. If you already have your RSA2 key generated (most probably ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files), go to point 3.
      Otherwise, generate the key, saving it in the default location. N.B. Please make sure that you use a passprashe to protect your private key. The passphrase can be changed later by using the -p option at the ssh-keygen command. If, nevertheless, you decide to generate your key without passphrase, please MAKE SURE THAT THE AFS ACL OF ~/.ssh/id_rsa (fs la ~/.ssh/id_rsa) ONLY ALLOWS YOU TO READ YOUR PRIVATE KEY (see also "AUTHORIZED_KEYS FILE FORMAT" of sshd man page):

      mkdir -p ~/.ssh
      ssh-keygen
      Generating public/private rsa key pair.
      Enter file in which to save the key (/afs/cern.ch/user/u/uimon/.ssh/id_rsa):
      Enter passphrase: YOURPASSPHRASE
      Enter same passphrase again: YOURPASSPHRASE
      Your identification has been saved in /afs/cern.ch/user/u/uimon/.ssh/id_rsa.
      Your public key has been saved in /afs/cern.ch/user/u/uimon/.ssh/id_rsa.pub.

   3. Copy the public key (~/.ssh/id_rsa.pub) to your AFS home directory at CERN

      scp ~/.ssh/id_rsa.pub USERNAME@lxplus.cern.ch:~

   4. Log on to LXPLUS and run

      /afs/cern.ch/project/cvs/dist/bin/set_ssh

   5. Add the PUBLIC key you copied in 3. in your ~/.ssh/authorized_keys file with the following command:

      $ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys

   6. Check and modify if necessary the format of your authorized_keys file EXACTLY IN THE SAME FORMAT AS BELOW:

      ---- BEGIN SSH2 PUBLIC KEY ----
      Comment: "rsa-key-20070416"
      ssh-rsa AAAAB3NzaC1yc2E....

      - Secondly please edit this file so that the key is placed in a single line (remove the Carriage Returns).

   7. Check access permissions to ~/.ssh and ~/public, they shouldn't be more "open" that drwxr-xr-x:

      $ ls -ld ~/.ssh ~/public

      If necessary, correct them with this command:

      $ chmod 755 ~/.ssh ~/public ~/.ssh/authorized_keys

   8. When logged at your Linux/Unix machine, if you have set a key passphrase, use ssh-agent to avoid having to type your passphrase everytime you call cvs. For that just call the following commands in your Linux/Unix machine:

      % eval `ssh-agent`
      % ssh-add ~/.ssh/id_rsa
      % ssh-add -l

      If all goes well, the last command should list the key you've added to the key agent, and your SSH commands in this shell have access to your key without further intervention from you. Then try connecting to isscvs.cern.ch

      ssh USERNAME@isscvs.cern.ch

      and accept the server key (only, if the fingerprint is 05:1c:53:5c:2b:cc:70:5f:75:0b:b7:f6:19:fe:f8:8e!). You shouldn't be prompted for a password, and you should see the message:

      *******************************************************************************
      *                                                                             *
      * http://cern.ch/ComputingRules : Govern the use of CERN computing facilities *
      *                                                                             *
      *******************************************************************************
      CVS server - wrong number of arguments, interactive login disabled
      Connection to isscvs closed.

      which means that ssh access to CVS servers is properly configured.

As you probably realized, when you login on LXPLUS without providing your password, you don't have AFS and Kerberos tokens. In order to be asked for the password while connecting to LXPLUS and not to be asked for it for CVS connections, create ~/.ssh/config file on your Linux/Unix machine, and put the following contents in it:

Host lxplus.cern.ch lxplus
Protocol 2
PubkeyAuthentication no
PasswordAuthentication yes

Host isscvs.cern.ch isscvs
Protocol 2
ForwardX11 no
IdentityFile ~/.ssh/id_rsa

Now try the two commands:

ssh USERNAME@lxplus.cern.ch
ssh USERNAME@isscvs.cern.ch

The first call to ssh will prompt for a password, while the second one won't (which was the purpose).




These are the OLD SSH1 instructions (not recommended!):

The first step is to create an SSH v1 key via the command
    ssh-keygen -t rsa1
This will ask you for a password to protect you key with, please choose one as good as your normal unix password.

This command will create two files in your .ssh directory: identity and identity.pub. You should make sure you protect the identity file, it contains your virtual identity - it is not readable by others by default. The other file, as implied by its name, can be made public.

To allow yourself to log on to other machines using this key you copy the identity.pub to the remote machine and append it to the .ssh/authorized_keys file. You could do this with a command like:
    cat .ssh/identity.pub | ssh lxplus.cern.ch "cat >> .ssh/authorized_keys"

Your authorized_keys file must be readable by the ssh daemon. This can be a problem if your remote home directory is on AFS (as is the case at CERN and SLAC). For this to work you will need to move the authorized_keys file to a directory that is publically readable. At SLAC this is done for you when the account is setup. At CERN you need to do this by hand. You should have a "public" directory in your home directory there, so that can be used. ssh to CERN (lxplus.cern.ch) and then do
    mkdir public/.ssh; mv .ssh/authorized_keys public/.ssh; ln -s ../public/.ssh/authorized_keys .ssh/authorized_keys

To make sure you use Protocol version 1, which allows key passing, you should add the following to the file .ssh/config   

Host atlas-sw.cern.ch
 ForwardX11 no
 Protocol 1

If your window manager has not already started an ssh-agent for you (check with ps x | grep ssh-agent) start it with a command like eval `ssh-agent`. This can also be added to your .cshrc file. (We run it as an argument to eval as this will set some environment variables in your current shell that are needed to talk to the ssh-agent.) Now you can load your keys into the agent with the ssh-add command. It will prompt you for the password for your key(s). You can check they've been loaded correct by running ssh-add -l.

Last edited by Andy Haas on April 7, 2009