7. Advanced ssh

You can log into the SourceForge shell and CVS servers without using your password, but instead using a public/private key pair. This means you never have to send your password over the network -- encrypted or otherwise -- and you only have to type your password once when you log on to your local workstation.

7.1. A little background

Normally, when you log on to a UNIX system, the password you give -- after having been sent over the network if it is a remote system -- is compared with that in /etc/passwd or /etc/shadow and if it matches then you are allowed to log in.

There is another method based on public/private keys which ssh allows. In this situation your public key, stored on the system you wish to log on to, is used by sshd to encrypt a very large random number. This is sent across the network back to you. If your ssh on the local system can decrypt it (using your private key), and send it back to the remote system correctly, then you are allowed to log in.

7.2. Setting up your public/private key

First you need to generate you public and private key pair. You do this using ssh-keygen. You can just keep pressing Enter to select all of the default values:

$ ssh-keygen 
Generating RSA keys:  ..........................oooooO...................oooooO
Key generation complete.
Enter file in which to save the key (/home/tom/.ssh/identity): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/tom/.ssh/identity.
Your public key has been saved in /home/tom/.ssh/identity.pub.
The key fingerprint is:
1024 3d:50:a1:6d:96:2e:5f:18:2e:6f:8f:1f:32:25:c8:9d tom@henry

7.3. Setting up the server side

7.3.2. The CVS server

Because you can't log directly into the CVS server you have to copy your authorized keys via a web page. Log into your account on sourceforge.net then head over to sourceforge.net/account/editsshkeys.php. Copy the contents of your ~/.ssh/identity.pub into the box. It may take a few hours after submission to sync the key over to the CVS server. When that's done you can
$ cvs [update] [commit] etc...
without having to type your password.

7.4. Protecting your private key

Although your private key is set to be only readable by you, the root user of your system can also see it. If you don't trust your admins that much, or just want some extra security then you can put a passphrase on your key.

$ ssh-keygen -p
Enter file in which the key is (/home/tom/.ssh/identity): 
Key has comment 'tom@henry'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

Note

Your choice of passphrase is not as restrictive as your choice of UNIX password is. It can contain all sorts of characters, including spaces and can be very long.

7.5. Concluding ssh

Using ssh with your own public and private keys allows secure communication with a remote machine, and you never have to send any password across a network. Using ssh-agent means you only have to type your passphrase once per session.