SourceForge guide
PrevNext

7. Advanced ssh

You can log into the SourceForge shell and CVS servers without using your password, but instead using a public/private key pair. This means you never have to send your password over the network -- encrypted or otherwise -- and you only have to type your password once when you log on to your local workstation.

7.1. A little background

Normally, when you log on to a UNIX system, the password you give -- after having been sent over the network if it is a remote system -- is compared with that in /etc/passwd or /etc/shadow and if it matches then you are allowed to log in.

There is another method based on public/private keys which ssh allows. In this situation your public key, stored on the system you wish to log on to, is used by sshd to encrypt a very large random number. This is sent across the network back to you. If your ssh on the local system can decrypt it (using your private key), and send it back to the remote system correctly, then you are allowed to log in.

7.2. Setting up your public/private key

First you need to generate you public and private key pair. You do this using ssh-keygen. You can just keep pressing Enter to select all of the default values:

$ ssh-keygen 
Generating RSA keys:  ..........................oooooO...................oooooO
Key generation complete.
Enter file in which to save the key (/home/tom/.ssh/identity): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/tom/.ssh/identity.
Your public key has been saved in /home/tom/.ssh/identity.pub.
The key fingerprint is:
1024 3d:50:a1:6d:96:2e:5f:18:2e:6f:8f:1f:32:25:c8:9d tom@henry

7.3. Setting up the server side

7.3.1. The shell server

Now you need to copy your public key to the SourceForge shell server, so it can authenticate you.

The (public) keys that you are allowed to log in with are stored in ~/.ssh/authorized_keys on the server, one per line. If you don't have any keys there yet then it's possible to scp localhost:~/.ssh/identity.pub directly over to server:~/.ssh/authorized_keys.

$ scp ~/.ssh/identity.pub \
> myusername@shell1.sourceforge.net:/home/user/users/m/my/myusername/.ssh/authorized_keys

Where `m' and `my' are the first and first two letters of your username.

Now you can 
$ ssh username@shell1.sourceforge.net
without having to type your password

7.3.2. The CVS server

Because you can't log directly into the CVS server you have to copy your authorized keys via a web page. Log into your account on sourceforge.net then head over to sourceforge.net/account/editsshkeys.php. Copy the contents of your ~/.ssh/identity.pub into the box. It may take a few hours after submission to sync the key over to the CVS server. When that's done you can 
$ cvs [update] [commit] etc...
without having to type your password.

7.4. Protecting your private key

Although your private key is set to be only readable by you, the root user of your system can also see it. If you don't trust your admins that much, or just want some extra security then you can put a passphrase on your key.

$ ssh-keygen -p
Enter file in which the key is (/home/tom/.ssh/identity): 
Key has comment 'tom@henry'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

Note

Your choice of passphrase is not as restrictive as your choice of UNIX password is. It can contain all sorts of characters, including spaces and can be very long.

7.4.1. ssh-add

Now every time ssh wants to use your private key it will ask you for your passphrase. This rather defeats one of the objects of using ssh, which was to avoid having to type your password. However, a program called ssh-agent can hold any and all of your private keys in memory. If ssh-agent is running, ssh will ask it rather than you for your password.

When starting X, Debian Potato systems run ssh-agent automatically. If you want this to work in a terminal shell or on a system that does not run ssh-agent automatically then check the man page. ssh-agent has a unusual syntax.

If you try 
$ ssh-add ~/.ssh/identity
ssh-add will add your private key to ssh-agent's list. If your public key is encrypted then you will be asked for your passphrase. You can add ssh-add to your ~/.xsession file, but if ssh-add is not attached to a console when it is run you will need one of the ssh-askpass* packages. These provide a way for ssh-add to get your passphrase in X.

$ apt-get install ssh-askpass
$ apt-get install ssh-askpass-ptk
$ apt-get install ssh-askpass-gnome

7.5. Concluding ssh

Using ssh with your own public and private keys allows secure communication with a remote machine, and you never have to send any password across a network. Using ssh-agent means you only have to type your passphrase once per session.

PrevHomeNext
Communication utilities Further information