This page outlines how you can use ssh keys to avoid typing your word many times
(8 times for a cmt co of an ATLAS package!)
These instructions are based on the CERN page. For help, email ahaas@slac.
----------------------------------
1. Log on to your Linux/Unix machine
2. If you already have your RSA2 key generated (most probably ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub files), go to point 3. Otherwise, generate the key, saving it in the default location. N.B. Please make sure that you use a passprashe to protect your private key. The passphrase can be changed later by using the -p option at the ssh-keygen command. If, nevertheless, you decide to generate your key without passphrase, please MAKE SURE THAT THE AFS ACL OF ~/.ssh/id_rsa (fs la ~/.ssh/id_rsa) ONLY ALLOWS YOU TO READ YOUR PRIVATE KEY (see also "AUTHORIZED_KEYS FILE FORMAT" of sshd man page):
mkdir -p ~/.ssh
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/afs/cern.ch/user/u/uimon/.ssh/id_rsa):
Enter passphrase: YOURPASSPHRASE
Enter same passphrase again: YOURPASSPHRASE
Your identification has been saved in /afs/cern.ch/user/u/uimon/.ssh/id_rsa.
Your public key has been saved in /afs/cern.ch/user/u/uimon/.ssh/id_rsa.pub.
3. Copy the public key (~/.ssh/id_rsa.pub) to your AFS home directory at CERN
scp ~/.ssh/id_rsa.pub USERNAME@lxplus.cern.ch:~
4. Log on to LXPLUS (ssh lxplus.cern.ch) and run this script:
/afs/cern.ch/project/cvs/dist/bin/set_ssh
5. Add the PUBLIC key you copied in 3. in your ~/.ssh/authorized_keys file with the following command:
$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
6. Check and modify if necessary the format of your authorized_keys file EXACTLY IN THE SAME FORMAT AS BELOW:
--- BEGIN SSH2 PUBLIC KEY --- Comment: "rsa-key-20070416" ssh-rsa AAAAB3NzaC1yc2E....
Please make sure that the key is placed in a single line (remove the Carriage Returns).
7. Check access permissions to ~/.ssh and ~/public, they shouldn't be more "open" that drwxr-xr-x:
$ ls -ld ~/.ssh ~/public
If necessary, correct them with this command:
$ chmod 755 ~/.ssh ~/public ~/.ssh/authorized_keys
8. When logged at your Linux/Unix machine, if you have set a key passphrase, use ssh-agent to avoid having to type your passphrase everytime you call cvs/svn. For that just call the following commands in your Linux/Unix machine:
eval `ssh-agent`
ssh-add ~/.ssh/id_rsa
ssh-add -l
If all goes well, the last command should list the key you've added to the key agent, and your SSH commands in this shell have access to your key without further intervention from you.
If already in bash with an ATLAS release set up, I use this script instead:
source ~ahaas/bin/agent.sh
Then try connecting to svn.cern.ch
ssh USERNAME@svn.cern.ch
and accept the server key (only, if the fingerprint is 05:1c:53:5c:2b:cc:70:5f:75:0b:b7:f6:19:fe:f8:8e!).
You shouldn't be prompted for a password, and you should see the message:
*******************************************************************************
* *
* http://cern.ch/ComputingRules : Govern the use of CERN computing facilities *
* *
*******************************************************************************
Interactive login disabled
Connection to svn closed.
which means that ssh access to SVN servers is properly configured.
As you probably realized, when you login on LXPLUS without providing your password, you don't have AFS and Kerberos tokens. In order to be asked for the password while connecting to LXPLUS and not to be asked for it for CVS connections, create ~/.ssh/config file on your Linux/Unix machine, and put the following contents in it:
Host lxplus.cern.ch lxplus User <lxplus-username> Protocol 2 PubkeyAuthentication no PasswordAuthentication yes Host atlas-sw.cern.ch atlas-sw isscvs.cern.ch isscvs svn.cern.ch svn User <lxplus-username> GSSAPIAuthentication yes GSSAPIDelegateCredentials yes Protocol 2 ForwardX11 no IdentityFile ~/.ssh/id_rsa
Be sure to replace <lxplus-username> with your username ! (Don't include <>)
Now try the two commands:
ssh username@lxplus.cern.ch ssh username@svn.cern.ch
The first call to ssh will prompt for a password, while the second one won't (which was the purpose).