1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/src/java/_INFO-eclipse-cvs-linux.txt Thu Jan 17 16:27:03 2008 +0100
1.3 @@ -0,0 +1,207 @@
1.4 +_INFO-eclipse-cvs-linux.txt
1.5 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1.6 +Eclipse + cvs:
1.7 +RG->WN0401
1.8 +
1.9 +How to use passwordless SSH
1.10 +by Jonathan Keeling<jmjk2@cam.ac.uk>
1.11 +
1.12 +This document explains how to set up ssh to allow you to ssh to other hosts
1.13 +without having to type your password, so that ssh can be used for programs such as cvs,
1.14 +pvm and mpi which expect to use rsh to log in without passwords.
1.15 +
1.16 +If you are just interested in getting passwordless ssh to work, and do not want
1.17 +to read all the details, you only need read the first section. These instructions
1.18 +should not compromise your security, but they do not explain how ssh security works.
1.19 +
1.20 +
1.21 +Table of Contents
1.22 +1. Setting up passwordless RSA user authentication
1.23 +1.1. How to do it
1.24 +1.2. Technical details
1.25 +1.2.1. Why do you need a passphrase?
1.26 +1.2.2. Using SSH Agent to manage keys
1.27 +2. Using .shosts authentication
1.28 +2.1. How to do it.
1.29 +3. Further documentation
1.30 +
1.31 +1. Setting up passwordless RSA user authentication
1.32 +
1.33 +
1.34 +1.1. How to do it
1.35 +
1.36 +
1.37 + Create your RSA public/private key pair, by running:
1.38 +
1.39 + # bash$ ssh-keygen -tdsa
1.40 +
1.41 + When prompted, agree with its default location for your key, $HOME/.ssh/identity
1.42 + and choose a passphrase (do not leave the passphrase blank, it is insecure) when
1.43 + asked to.
1.44 +
1.45 +Copy your public key to whichever host(s) you want to log into.
1.46 +This means copying the contents of $HOME.ssh/identity.pub/ on the machine where
1.47 +you created the key, to $HOME.ssh/authorized_keys/ on the machine you want to log into.
1.48 +
1.49 + first save old setting on IST~/.ssh:
1.50 + # IST> cd ~/.ssh
1.51 + # IST> cp id_rsa identity
1.52 + then copy the public key to the host:
1.53 + # $HOME> scp id_rsa.pub wneuper@pear.ist.intra:.ssh/authorized_keys
1.54 + [[on localhost: scp id_rsa.pub ~/.ssh/authorized_keys]]
1.55 +
1.56 +For machines within college, this translates as
1.57 +
1.58 + bash$ cat .ssh/identity.pub >> .ssh/authorized_keys
1.59 +
1.60 +
1.61 +You will now want to use
1.62 +
1.63 + ssh-agent
1.64 +
1.65 +to manage your ssh key. This means you will enter
1.66 +your passphrase once, whenever you log in, and will not be prompted again. If you have
1.67 +logged in using X (a graphical login), all you need do is
1.68 +
1.69 + bash$ ssh-add
1.70 +
1.71 +and it will prompt you to enter your passphrase.
1.72 +
1.73 +
1.74 +FINISHED, if you want to do the same for each session.
1.75 +--------------------------------------------------------------------------------------
1.76 +EXPLANATION:
1.77 +If you are not using a graphical terminal, you will need to start a process
1.78 +under ssh-agent, so it can manage your keys. In most cases, this means
1.79 +
1.80 + bash$ ssh-agent
1.81 +
1.82 +bash Which will start a new shell, you then add your key as normal.
1.83 +
1.84 +
1.85 +You may wish to add a line to your .Xsession file, so that you are prompted
1.86 +for your passphrase as soon as you log in. If you add the line
1.87 +
1.88 +
1.89 + cat /dev/null | ssh-add
1.90 +
1.91 +
1.92 + before it starts your window manager, then ssh-askpass should appear and ask you
1.93 + your passphrase.
1.94 +
1.95 +If you encounter problems, try bash$ ssh -v HOSTNAME which will print out
1.96 +verbose debugging information, allowing you to see exactly where it is failing.
1.97 +
1.98 +
1.99 +1.2. Technical details
1.100 +
1.101 +
1.102 +1.2.1. Why do you need a passphrase?
1.103 +
1.104 +
1.105 + You can leave the passphrase blank, to avoid ever having to type in
1.106 + a password/passphrase. However, because homespace on the nem-net and
1.107 + kwok-linux machines is exported via NFS, this can result
1.108 + in your private key being sent from the NFS server to the machine you are on
1.109 + in plain text.
1.110 +
1.111 +
1.112 +To avoid this, you must either
1.113 +
1.114 +
1.115 +Use a passphrase, and either be prompted every time you try to log in,
1.116 +or use ssh-agent to manage your key(s). See "Using ssh-agent" Section 1.2.2
1.117 +This works by encrypting your private key, using your passphrase,
1.118 +so that capturing the encrypted passphrase alone is useless.
1.119 +
1.120 +
1.121 +Save your private key on the local machine, e.g. in /var/tmp.
1.122 +Do this by changing where ssh-keygen saves your private key (when it prompts you),
1.123 +and passing this filename as the argument to ssh-add. If you do this,
1.124 +you should delete your key when you finish your session,
1.125 +and repeat all the steps when you try again.
1.126 +This is somewhat tiresome, but may be useful if you ever find yourself using
1.127 +a machine which you do not have an account on, but wish to use something like mpi,
1.128 +pvm or cvs from, which prefer you to have passwordless remote command invocation.
1.129 +
1.130 +
1.131 +1.2.2. Using SSH Agent to manage keys
1.132 +
1.133 +
1.134 + ssh-agent exists to manage your keys. Whenever you run ssh, or something
1.135 + which uses ssh, such as scp, it will try and establish a connection to ssh-agent,
1.136 + by looking at its parent until it either finds ssh-agent or runs out of processes.
1.137 + On many systems, when you log in using X, rather than just starting your X session,
1.138 + and window manager etc, the login program will start these from within ssh-agent
1.139 + for you, and so all you need to do is add the appropriate key.
1.140 +
1.141 +
1.142 +If you are not using X, you will probably need to start ssh-agent yourself, and then run a shell, or occasionally a program such as screen under ssh-agent.
1.143 +
1.144 +
1.145 +The ssh-add command tries to add a ssh key to your collection. By default
1.146 +it reads $HOME/.ssh/identity, but can be configured. If this key requires a passphrase
1.147 +to decode it, it will prompt for it. When run from within X, and if not presented
1.148 +with stdin to read the key from, on some systems it may use ssh-askpass
1.149 +to produce an X window for you to enter your passphrase in. This can normally be
1.150 +acheived by bash$ cat /dev/null | ssh-add
1.151 +
1.152 +
1.153 +Connections to ssh agent are also forwarded over ssh connections. This means that
1.154 +if you log into box B from box A, and then box C from box B, the authentication
1.155 +is actually from the keys held by ssh-agent on box A. In practice there is no need
1.156 +to know about this, except that once you have entered your passphrase once,
1.157 +with ssh-add, you should never need do so again.
1.158 +
1.159 +
1.160 +2. Using .shosts authentication
1.161 +
1.162 +
1.163 +
1.164 +Warning
1.165 +
1.166 +
1.167 +
1.168 + This method is less secure than RSA user authentication, but is still more secure
1.169 + than rsh. It is also a convenient way to set up passwordless ssh, but some machines
1.170 + may be configured not to allow .shosts authentication, whereas nearly all machines
1.171 + will allow RSA User Authentication.
1.172 +
1.173 +
1.174 +
1.175 +2.1. How to do it.
1.176 +
1.177 +
1.178 +
1.179 +
1.180 + Create a .shosts file on the machine you want to log into (in your home directory, with permissions 644. This file should contain a list of hosts from which you want to be able to log in.
1.181 +
1.182 +
1.183 +You must then ensure that both machines have the correct host key for each other. This is achieved by logging in from each one to the other, using ssh, and using the fully qualified host name. i.e. bash$ ssh zeus.jesus.cam.ac.uk, not just bash$ ssh zeus
1.184 +
1.185 +
1.186 +3. Further documentation
1.187 +
1.188 +
1.189 + The following links explain details of how ssh works, and how to use it securely.
1.190 +
1.191 +
1.192 +
1.193 +
1.194 +The README file for SSH
1.195 +
1.196 +
1.197 +Unix Support's SSH CD Page
1.198 +
1.199 +
1.200 +Relevant manual pages include ssh(1), ssh-add(1) and ssh-agent(1).
1.201 +
1.202 +
1.203 +These pages are maintained by JCN. This file was last modified on 23/05/03.
1.204 +Copyright ? JCN, 1998-2003.
1.205 +
1.206 +
1.207 +
1.208 +
1.209 +
1.210 +
1.211 \ No newline at end of file