Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

This page outlines how you can use ssh keys to avoid typing your word many times
(8 times for a cmt co of an ATLAS package!)

These instructions are based on the CERN page. For help, email ahaas@slac.


   1. Log on to your Linux/Unix machine
   2. If you already have your RSA2 key generated (most probably ~/.ssh/id_rsa and ~/.ssh/ files), go to point 3. Otherwise, generate the key, saving it in the default location. N.B. Please make sure that you use a passprashe to protect your private key. The passphrase can be changed later by using the -p option at the ssh-keygen command. If, nevertheless, you decide to generate your key without passphrase, please MAKE SURE THAT THE AFS ACL OF ~/.ssh/id_rsa (fs la ~/.ssh/id_rsa) ONLY ALLOWS YOU TO READ YOUR PRIVATE KEY (see also "AUTHORIZED_KEYS FILE FORMAT" of sshd man page):
      mkdir -p ~/.ssh
      Generating public/private rsa key pair.
      Enter file in which to save the key (/afs/
      Enter passphrase: YOURPASSPHRASE
      Enter same passphrase again: YOURPASSPHRASE
      Your identification has been saved in /afs/
      Your public key has been saved in /afs/
   3. Copy the public key (~/.ssh/ to your AFS home directory at CERN
      scp ~/.ssh/
   4. Log on to LXPLUS (ssh and run this script:
   5. Add the PUBLIC key you copied in 3. in your ~/.ssh/authorized_keys file with the following command:
      $ cat ~/ >> ~/.ssh/authorized_keys
   6. Check and modify if necessary the format of your authorized_keys file EXACTLY IN THE SAME FORMAT AS BELOW:

No Format
      --- BEGIN SSH2 PUBLIC KEY ---
      Comment: "rsa-key-20070416"
      ssh-rsa AAAAB3NzaC1yc2E....

       Please make sure that the key is placed in a single line (remove the Carriage Returns).
   7. Check access permissions to ~/.ssh and ~/public, they shouldn't be more "open" that drwxr-xr-x:
      $ ls -ld ~/.ssh ~/public
      If necessary, correct them with this command:
      $ chmod 755 ~/.ssh ~/public ~/.ssh/authorized_keys
   8. When logged at your Linux/Unix machine, if you have set a key passphrase, use ssh-agent to avoid having to type your passphrase everytime you call cvs/svn. For that just call the following commands in your Linux/Unix machine:
        eval `ssh-agent`
        ssh-add ~/.ssh/id_rsa
        ssh-add -l
      If all goes well, the last command should list the key you've added to the key agent, and your SSH commands in this shell have access to your key without further intervention from you.
      If already in bash with an ATLAS release set up, I use this script instead:
      source ~ahaas/bin/
      Then try connecting to
      and accept the server key (only, if the fingerprint is 05:1c:53:5c:2b:cc:70:5f:75:0b:b7:f6:19:fe:f8:8e!).
      You shouldn't be prompted for a password, and you should see the message:
      *                                                                             *
      * : Govern the use of CERN computing facilities *
      *                                                                             *
      Interactive login disabled
      Connection to svn closed.
      which means that ssh access to SVN servers is properly configured.
As you probably realized, when you login on LXPLUS without providing your password, you don't have AFS and Kerberos tokens. In order to be asked for the password while connecting to LXPLUS and not to be asked for it for CVS connections, create ~/.ssh/config file on your Linux/Unix machine, and put the following contents in it:

No Format
Host lxplus
User <lxplus-username>
Protocol 2
PubkeyAuthentication no
PasswordAuthentication yes

Host atlas-sw isscvs svn
User <lxplus-username>
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Protocol 2
ForwardX11 no
IdentityFile ~/.ssh/id_rsa

Be sure to replace <lxplus-username> with your username ! (Don't include <>)

Now try the two commands:

Code Block

The first call to ssh will prompt for a password, while the second one won't (which was the purpose).