ssh_enable.doc -- this doc gives notes to the TRANSP developer on how to set up a secure cvs connection to the PPPL TRANSP repository. History: Jul 06, 2003 Oct 07, 2004 so the end of the document. For background, see man ssh man ssh-keygen man ssh-agent Note: Please be aware of the PPPL firewall. The TRANSP CVS source code server lives behind the firewall; specific action must be taken to arrange for access through the firewall. There are two options: (a) apply for a PPPL account, and get a PPPL "key fob" which includes a temporary password generator. Use this to authenticate through the PPPL firewall. For more details, see http://www.pppl.gov/access ... If one is accessing PPPL through the public internet, e.g. via an at home broad band connection on a Linux laptop, this method must be used; (b) for known, "trusted" secure sites only, machines with fixed IP network addresses can be granted a long lasting firewall exception, allowing access without the need for separate authentication. Such trusted sites exist at many major fusion labs, including GA, MIT, JET, IPP/Garching and others. ---------------------------------------------------------------------------new procedure (Oct 07 and beyond) 1) CVS setup: your environment should include: -- type 2 ssh -- from Linux machines a simpler procedure seems to work, we document this now. The old procedure is retained at
CVSROOT=xshare@transp.pppl.gov:/u/xshare/repos CVS_RSH=`which ssh` CVSROOT specifies the repository; CVS_RSH specifies that ssh is to be used for authenticated communications. 2) Creating an identity: As you might need to run cron jobs or other automated processes where you are not present to enter a pass-phrase, it might be helpful to create a second identity for purposes of connecting to the cvs repository only, without passphrase protection. Here's how:
�For "OpenSSH_3.1 type 2 ssh" ---------------------------cd ~/.ssh ssh-keygen -t dsa -f identity2 (do NOT enter a pass-phrase. Hit carriage-return when prompted for pass-phrase and pass-phrase verification). However, you can also use your own dsa key, with pass phrase protection, if this is sufficiently convenient. On Unix systems many people use a program called "ssh-agent" to capture a passphrase in memory within an interactive X session, meaning the passphrase is only typed once at the beginning of the day and then remains available automatically for use as needed. For ssh-agent details, see the good overview of an earlier version of ssh in: http://w3.pppl.gov/~karney/ssh-sem.txt 3) Having the new identity authorized for cvs repository connections: Request that the new identity be added to the xshare@transp.pppl.gov ~/.ssh/authorized_keys2 file. Send an email with a copy of your identity2.pub file. Also, if this is a key with no pass-phrase protection, please specify the hostnames of the hosts from which you would like to connect using cvs. Automatic, password-free connections will ONLY be permitted from the hostnames specified. As of 15 Oct 1999: ludesche@pppl.gov. Send the email to dmccune@pppl.gov or
************************************************************************* ** * Note to xshare maintainer: append the public key to the xshare * * ~/.ssh/authorized_keys file. Insert at the beginning of the line * * the text: from=",,..." as per the instructions * * provided by the user. We should insist on hostnames being provided, * * since the lack of pass-phrase protection increases our exposure, if * * the identity2 private key is stolen. See "man sshd" for details on * * the format of the authorized_keys file. * * Note: type 2 (dsa) keys go into ~/.ssh/authorized_keys2 * ************************************************************************* ** 4) Making identity2 your default identity when connecting to transp.pppl.gov:
�If you don't have an ~/.ssh/config file, you'll need to create one. This file should contain the following lines: Host transp.pppl.gov BatchMode yes IdentityFile ~/.ssh/identity2 (assuming "identity2" is the name of your identity chosen for this purpose). If you are using your standard key (e.g. in combination with ssh-agent) you wouldn't need to do this. 5) Obtaining a host key for transp.pppl.gov: ssh transp.pppl.gov -l xshare ls This command will list files in xshare's home directory. If you don't already have a host key for transp.pppl.gov, you will get a message like: Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? answer "yes". You should then get a listing of xshare's home directory without having to provide a password or pass-phrase. 6) In case of problems: Send an email (see address under 3) containing the output of the command ssh -v transp.pppl.gov -l xshare ls or ssh -v -F $HOME/.ssh/config transp.pppl.gov, -l xshare ls If all is working properly, you should not be prompted for a password or pass-phrase. If you are, use the "-v" switch to get debugging output from ssh, which we can help interpret. THE END
---------------------------------------------------------------------------old procedure (before Oct 07, 2004)... 1) CVS setup: your environment should include:
CVSROOT=xshare@transp.pppl.gov:/u/xshare/repos For "old type 1 ssh" --------------------
�CVS_RSH=/usr/local/bin/ssh For "OpenSSH_3.1 type 2 ssh" ---------------------------CVS_RSH=/usr/ntcc/etc/cvs_ssh where /usr/ntcc/etc/cvs_ssh = #!/bin/sh /usr/bin/ssh -F $HOME/.ssh/config "$@" CVSROOT specifies the repository; CVS_RSH specifies that ssh is to be used for connections. Creating an identity: As you are likely to need to run cron jobs or other automated processes where you are not present to enter a pass-phrase, it is recommended to create a second identity for purposes of connecting to the cvs repository only, without passphrase protection. Here's how: For "old type 1 ssh" ------------------** DO NOT USE if you have type 2 ssh available (see next section)** cd ~/.ssh ssh-keygen -f identity2 -C "for TRANSP cvs access" (do NOT enter a pass-phrase. Hit carriage-return when prompted for pass-phrase and pass-phrase verification). Here I am calling your second identity "identity2". of course, choose a different name. You can, 2)
For "OpenSSH_3.1 type 2 ssh" ---------------------------cd ~/.ssh ssh-keygen -t dsa -f identity2 (do NOT enter a pass-phrase. Hit carriage-return when prompted for pass-phrase and pass-phrase verification). 3) Having the new identity authorized for cvs repository connections: Request that the new identity be added to the xshare@transp.pppl.gov ~/.ssh/authorized_keys file. Send an email with a copy of your identity2.pub file. Also, please specify the hostnames of the hosts from which you would like to connect using cvs. Automatic, password-free Connections will ONLY be permitted from the hostnames specified. As of 15 Oct 1999: ludesche@pppl.gov. Send the email to dmccune@pppl.gov or
�************************************************************************* ** * Note to xshare maintainer: append the public key to the xshare * * ~/.ssh/authorized_keys file. Insert at the beginning of the line * * the text: from=",,..." as per the instructions * * provided by the user. We should insist on hostnames being provided, * * since the lack of pass-phrase protection increases our exposure, if * * the identity2 private key is stolen. See "man sshd" for details on * * the format of the authorized_keys file. * * Note: type 2 keys go into ~/.ssh/authorized_keys2 * ************************************************************************* ** 4) Making identity2 your default identity when connecting to transp.pppl.gov: If you don't have an ~/.ssh/config file, you'll need to create one. This file should contain the following lines: Host transp.pppl.gov BatchMode yes IdentityFile ~/.ssh/identity2 (assuming "identity2" is the name of your identity chosen for this purpose). See "man ssh" for details on the ~/.ssh/config file. 5) Obtaining a host key for transp.pppl.gov: For "old type 1 ssh" -------------------ssh transp.pppl.gov -l xshare ls This command will list files in xshare's home directory. If you don't already have a host key for transp.pppl.gov, you will get a message like: Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? answer "yes". You should then get a listing of xshare's home directory without having to provide a password or pass-phrase. CAVEAT: "OpenSSH_3.1 type 2 ssh" ================================ You MUST have a valid entry in $HOME/.ssh/known_hosts file,
�but OpenSSH_3.1 type 2 ssh is no creating one. To get it working do: 1. ssh transp.pppl.gov -l xshare ls (as described above for type 1) answer "yes" and Ctr-C
If this does not work, you don't get the "Are you sure you want to continue connecting (yes/no)? " your ssh uses /etc/ssh/ssh_know_hosts, which probably contains an obsolete key for transp.pppl.gov. In this case you can either complain to your systems admin or follow 6) and we mail you a host key to paste into your know_hosts file. 1.B On the other hand, sometimes this is working: ssh -F /etc/ssh/ssh_config transp.pppl.gov /bin/ls 2. ssh -F $HOME/.ssh/config transp.pppl.gov -l xshare ls Note: If you don't specify "ssh -F ", ssh might use /etc/ssh/ssh_config.
1.A
6)
In case of problems: Send an email (see address under 3) containing the output of the command ssh -v transp.pppl.gov -l xshare ls or ssh -v -F $HOME/.ssh/config transp.pppl.gov -l xshare ls If all is working properly, you should not be prompted for a password or pass-phrase, and you should see something like this:
unix> ssh -v transp.pppl.gov -l xshare ls SSH Version 1.2.26 [i586-unknown-linux], protocol version 1.5. Standard version. Does not use RSAREF. YOUR_HOST: Reading configuration data /home/your_username/.ssh/config YOUR_HOST: Applying options for * YOUR_HOST: Applying options for transp.pppl.gov YOUR_HOST: ssh_connect: getuid 4541 geteuid 0 anon 0 YOUR_HOST: Connecting to transp.pppl.gov [192.55.106.119] port 22. YOUR_HOST: Allocated local port 1022. YOUR_HOST: Connection established. YOUR_HOST: Remote protocol version 1.5, remote software version 1.2.27 YOUR_HOST: Waiting for server public key. YOUR_HOST: Received server public key (768 bits) and host key (1024 bits). YOUR_HOST: Host 'transp.pppl.gov' is known and matches the host key. YOUR_HOST: Initializing random; seed file /home/your_username/.ssh/random_seed YOUR_HOST: Encryption type: idea YOUR_HOST: Sent encrypted session key. YOUR_HOST: Installing crc compensation attack detector. YOUR_HOST: Received encrypted confirmation.
�YOUR_HOST: Trying rhosts or /etc/hosts.equiv with RSA host authentication. YOUR_HOST: Remote: Rhosts/hosts.equiv authentication refused: client user 'your_username', server user 'xshare', client host 'YOUR_HOST.your.domain'. YOUR_HOST: Server refused our rhosts authentication or host key. YOUR_HOST: No agent. YOUR_HOST: Trying RSA authentication with key 'for transp cvs access' YOUR_HOST: Received RSA challenge from server. YOUR_HOST: Sending response to host key RSA challenge. YOUR_HOST: Remote: RSA authentication accepted. YOUR_HOST: RSA authentication accepted by server. YOUR_HOST: Requesting compression at level 1. YOUR_HOST: Enabling compression at level 1. YOUR_HOST: Requesting X11 forwarding with authentication spoofing. YOUR_HOST: Sending command: ls YOUR_HOST: Entering interactive session. PC bin bootstrap codesys config cron.dat cshlock.daemon cvstest2 daemon data debug doug export foo.tmp log mail nohup.out ntcc old.rhosts qshare repos request restoresymtable result sigdata sigtabl status tedi.ini test test2 test3 tmp transp work YOUR_HOST: Transferred: stdin 0, stdout 247, stderr 0 bytes in 0.7 seconds YOUR_HOST: Bytes per second: stdin 0.0, stdout 365.2, stderr 0.0
�YOUR_HOST: Exit status 0 YOUR_HOST: compress outgoing: raw data 71, compressed 77, factor 1.08 YOUR_HOST: compress incoming: raw data 258, compressed 183, factor 0.71 unix>
THE END
�