SSH access to cvs.gentoo.org
Your SSH keypair authenticates you to Gentoo Infrastructure. Properly
handling these keys is vital to keeping our machines safe. Please try to
follow these guidelines:
- Place your private keys only on machines you trust. This means only you have root
on these machines and they are not shared with other users.
- Do not trust Gentoo Infrastructure. Do not place copies of your keys
on Gentoo machines (like dev.gentoo.org.) You may forward your SSH agent
through Gentoo managed machines if they are configured to allow users to
agent forward (more on forwarding later.)
- Encrypt your keys with a strong passphrase. If you have trouble making
a passphrase try emerge pwgen; pwgen -sB 25
- Do not access Gentoo infrastructure from untrusted machines such as business
kiosks at hotels, internet cafes, or machines at computer conferences. Many of these machines
are infected with malware.
- If you believe your keys were compromised, contact infrastructure immediately.
You can do this via #gentoo-infra on irc.freenode.net or by emailing firstname.lastname@example.org.
- Official hostkey fingerprints for Gentoo Infrastructure servers are
available on the server
Creating the SSH keys
First of all, be physically logged on to your own computer. Make sure
that no-one will see you typing stuff in, since we are going to type in
passphrases and such. So get your pepperspray and fight all untrusted
entities until you are home alone.
Now we are going to create our ssh keys, RSA keys to be exact. The key should
be at least 2048 bits in length, but 4096 bits is recommended. Log onto
your computer as the user that you are going to be using when you want
to access cvs.gentoo.org. Then issue ssh-keygen -t rsa -b 4096:
Code Listing 1.1: Creating SSH keys
$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/temp/.ssh/id_rsa):
Created directory '/home/temp/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/temp/.ssh/id_rsa.
Your public key has been saved in /home/temp/.ssh/id_rsa.pub.
The key fingerprint is:
Please be sure to set a strong passphrase on your private key. Ideally,
this passphrase should be at least eight characters and contain a mixture of
letters, numbers and symbols.
Do not set an empty passphrase on your ssh key. If infra finds out this is the
case; your account will be suspended.
Code Listing 1.2: Created files
# ls ~/.ssh
You may have more files than this, but the two files listed above
are the ones that are really important.
The first file, id_rsa, is your private key. Don't
give this to anyone; never decrypt it on an untrusted machine. Gentoo Staff
will never ask you for a copy of your private key.
Be very careful which machines you put your private key on. If you have
several (trusted!) hosts from which you want to connect to
cvs.gentoo.org, you should copy id_rsa to the
~/.ssh directories on those hosts. Trusted machines are machines
that only you have root on; these machines are not shared with other users.
The second file, id_rsa.pub, is your public key.
Distribute this file amongst all hosts that you want to be able to
access through SSH pubkey authentification. This file should be appended
to ~/.ssh/authorized_keys on those remote hosts. Also add it
to your local host so you can connect to that one too if you have several
Code Listing 1.3: Adding the SSH key to the box
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
Installing your public key on a machine using LDAP authentication for SSH
If you are a new developer, your recruiter will put your first SSH key into
LDAP, so that you can login. You can then add any additional SSH keys yourself
using the following procedure.
For most of the Gentoo infrastructure, we use LDAP to distribute user
information including SSH public keys. On these machines,
~/.ssh/authorized_keys should generally not contain your key.
You should place your public key into LDAP, using
perl_ldap, or ldapmodify directly.
The Infrastructure LDAP
guide describes this in more detail.
Code Listing 1.4: Adding the SSH key with perl_ldap on dev.gentoo.org
$ perl_ldap -b user -C sshPublicKey "$(cat ~/.ssh/id_rsa.pub)" <username>
Each sshPublicKey attribute must contain exactly one public key. If you have multiple public keys, you must have multiple attributes!
Every time you want to log on to a remote host using SSH public key
authentification, you will be asked to enter your passphrase. As much as
everybody likes typing, too much is sometimes too much. Luckily, there is
keychain to the rescue. There is an document on this one here, but I'll give you a quick
First, install keychain:
Code Listing 1.5: Installing keychain
# emerge keychain
Now have keychain load up your private ssh key when you log on to your local
box. To do so, add the following to ~/.bash_profile. Again, this
should be done on your local machine where you work at the Gentoo CVS.
NEVER run keychain or decrypt your private key on an untrusted host.
Code Listing 1.6: Add this to .bash_profile
Be sure to substitute hostname with your hostname.