Avoiding repeating passwords
This page outlines how you can use ssh keys to avoid typing your
word many times (8 times for a cmt co of an ATLAS package!)
Follow the instructions
here, for using SSH keys for CVS access. (A backup of the
instructions is repeated below...)
Note that you will have to do
eval `ssh-agent`
ssh-add
at least once per machine
you are working on, which caches your valid keys.
And I recommomend the following for your .ssh/config, rather than
what CERN lists:
Host *plus.cern.ch *plus
Protocol 2
PubkeyAuthentication no
PasswordAuthentication yes
Host atlas-sw.cern.ch atlas-sw isscvs.cern.ch isscvs
Protocol 2
ForwardX11 no
IdentityFile ~/.ssh/id_rsa
Backup of the SSH2 instructions:
# Configuring SSH access from Linux/Unix
SSH2 protocol now is used for authentication, but SSH1 will still work
for a while. If you want to access the Central CVS Service using SSH
from your Linux/Unix machine without providing password each time,
follow these instructions:
1. Log on to your Linux/Unix machine
2. If you already have your RSA2 key generated (most
probably ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files), go to point 3.
Otherwise, generate the key, saving it
in the default location. N.B. Please make sure that you use a
passprashe to protect your private key. The passphrase can be changed
later by using the -p option at the ssh-keygen command. If,
nevertheless, you decide to generate your key without passphrase,
please MAKE SURE THAT THE AFS ACL OF ~/.ssh/id_rsa (fs la
~/.ssh/id_rsa) ONLY ALLOWS YOU TO READ YOUR PRIVATE KEY (see also
"AUTHORIZED_KEYS FILE FORMAT" of sshd man page):
mkdir -p ~/.ssh
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key
(/afs/cern.ch/user/u/uimon/.ssh/id_rsa):
Enter passphrase: YOURPASSPHRASE
Enter same passphrase again:
YOURPASSPHRASE
Your identification has been saved in
/afs/cern.ch/user/u/uimon/.ssh/id_rsa.
Your public key has been saved in
/afs/cern.ch/user/u/uimon/.ssh/id_rsa.pub.
3. Copy the public key (~/.ssh/id_rsa.pub) to your AFS
home directory at CERN
scp ~/.ssh/id_rsa.pub
USERNAME@lxplus.cern.ch:~
4. Log on to LXPLUS and run
/afs/cern.ch/project/cvs/dist/bin/set_ssh
5. Add the PUBLIC key you copied in 3. in your
~/.ssh/authorized_keys file with the following command:
$ cat ~/id_rsa.pub >>
~/.ssh/authorized_keys
6. Check and modify if necessary the format of your
authorized_keys file EXACTLY IN THE SAME FORMAT AS BELOW:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20070416"
ssh-rsa AAAAB3NzaC1yc2E....
- Secondly please edit this file so that
the key is placed in a single line (remove the Carriage Returns).
7. Check access permissions to ~/.ssh and ~/public, they
shouldn't be more "open" that drwxr-xr-x:
$ ls -ld ~/.ssh ~/public
If necessary, correct them with this
command:
$ chmod 755 ~/.ssh ~/public
~/.ssh/authorized_keys
8. When logged at your Linux/Unix machine, if you have set
a key passphrase, use ssh-agent to avoid having to type your passphrase
everytime you call cvs. For that just call the following commands in
your Linux/Unix machine:
% eval `ssh-agent`
% ssh-add ~/.ssh/id_rsa
% ssh-add -l
If all goes well, the last command
should list the key you've added to the key agent, and your SSH
commands in this shell have access to your key without further
intervention from you. Then try connecting to isscvs.cern.ch
ssh USERNAME@isscvs.cern.ch
and accept the server key (only, if the
fingerprint is 05:1c:53:5c:2b:cc:70:5f:75:0b:b7:f6:19:fe:f8:8e!). You
shouldn't be prompted for a password, and you should see the message:
*******************************************************************************
*
*
* http://cern.ch/ComputingRules : Govern
the use of CERN computing facilities *
*
*
*******************************************************************************
CVS server - wrong number of arguments,
interactive login disabled
Connection to isscvs closed.
which means that ssh access to CVS
servers is properly configured.
As you probably realized, when you login on LXPLUS without providing
your password, you don't have AFS and Kerberos tokens. In order to be
asked for the password while connecting to LXPLUS and not to be asked
for it for CVS connections, create ~/.ssh/config file on your
Linux/Unix machine, and put the following contents in it:
Host lxplus.cern.ch lxplus
Protocol 2
PubkeyAuthentication no
PasswordAuthentication yes
Host isscvs.cern.ch isscvs
Protocol 2
ForwardX11 no
IdentityFile ~/.ssh/id_rsa
Now try the two commands:
ssh USERNAME@lxplus.cern.ch
ssh USERNAME@isscvs.cern.ch
The first call to ssh will prompt for a password, while the second one
won't (which was the purpose).
These are the OLD SSH1 instructions (not recommended!):
The first step is to create an SSH v1 key via the command
ssh-keygen -t
rsa1
This will ask you for a password to
protect you key with, please choose one as good as your normal
unix password.
This command will create two files in your .ssh directory:
identity and identity.pub. You should make sure you
protect the identity file, it contains your virtual identity
- it is not readable by others by default.
The other file, as implied by its name, can be made public.
To allow yourself to log on to other machines using this key you
copy the identity.pub to the remote machine and append it to
the .ssh/authorized_keys file. You could do this with a
command like:
cat
.ssh/identity.pub | ssh lxplus.cern.ch "cat
>> .ssh/authorized_keys"
Your authorized_keys
file must be readable by the ssh daemon. This can be a problem if your
remote home directory is on AFS (as is the case at CERN and SLAC). For
this to work you will need to move the authorized_keys file
to a directory that is publically readable. At SLAC this is done for
you when the account is setup. At CERN you need to do this by
hand. You should have a "public" directory in your home directory
there, so that can be used. ssh to CERN (lxplus.cern.ch) and then do
mkdir
public/.ssh; mv .ssh/authorized_keys public/.ssh; ln -s
../public/.ssh/authorized_keys .ssh/authorized_keys
To make sure you use Protocol version 1, which allows key passing,
you should add the following to the file
.ssh/config
Host atlas-sw.cern.ch
ForwardX11 no
Protocol 1
If your window manager has not already started an
ssh-agent for you (check with ps x | grep ssh-agent)
start it with a command like eval `ssh-agent`. This can also
be added to your .cshrc file. (We run it as
an argument to eval as this will set some environment variables in
your current shell that are needed to talk to the
ssh-agent.) Now you can load your keys into the agent with the
ssh-add command. It will prompt you for the password for your
key(s). You can check they've been loaded correct by running
ssh-add -l.
Last
edited
by Andy Haas on April 7, 2009