userdoc:ssh_access
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
userdoc:ssh_access [2014-06-12 18:26] korgadmin created |
userdoc:ssh_access [2020-05-08 13:58] (current) mricon |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ~~REDIRECT>https://korg.docs.kernel.org/access.html~~ | ||
| + | |||
| ====== How to set up your ssh access ====== | ====== How to set up your ssh access ====== | ||
| - | You should have received a tarball containing the SSH private key to use for accessing your kernel.org account. Place that private key into your ''~/.ssh'' directory, e.g.: | + | Setting up your ssh access will depend on whether you're using your PGP Auth subkey for ssh purposes or if you were issued a private key from kernel.org. |
| - | cp korg-username ~/.ssh/id_rsa_korg | + | ===== If you received a ssh private key from kernel.org ===== |
| - | You can change the key passphrase using ''ssh-keygen -p''. **ALWAYS KEEP YOUR SSH KEY PROTECTED WITH A PASSPHRASE!** | + | Follow this procedure if you received an encrypted tarball containing the SSH private key to use for accessing your kernel.org account. Place that private key into your ''~/.ssh'' directory, e.g.: |
| - | ===== SSH client configuration ===== | + | cp korg-username ~/.ssh/id_korg |
| - | Your kernel.org account grants you access to two systems: | + | You can change the automatically generated key passphrase using ''ssh-keygen -p''. |
| - | + | ||
| - | * **gitolite.kernel.org**: for accessing your git trees (see [[userdoc:gitolite]]) | + | |
| - | * **kup.kernel.org**: for uploading tarball releases (see [[userdoc:kup]]) | + | |
| - | + | ||
| - | ^ Hostname ^ Key ^ Fingerprint ^ | + | |
| - | ^ gitolite.kernel.org | RSA | ''b1:33:44:9d:3f:77:59:14:f8:05:d7:33:5d:b1:40:7b'' | | + | |
| - | | | DSA | ''f7:ec:e1:24:17:2b:33:69:46:69:f1:41:99:1e:a8:90'' | | + | |
| - | ^ kup.kernel.org | RSA | ''9f:ab:65:9c:fd:4e:40:38:87:ba:c6:0c:b1:a8:95:fb'' | | + | |
| - | | | DSA | ''99:a3:9b:fc:78:c5:44:6b:3d:7d:4b:98:cc:60:31:06'' | | + | |
| + | **ALWAYS KEEP YOUR SSH KEY PROTECTED WITH A PASSPHRASE!** | ||
| Add the following entries into your .ssh/config: | Add the following entries into your .ssh/config: | ||
| Line 25: | Line 19: | ||
| Host gitolite.kernel.org | Host gitolite.kernel.org | ||
| User git | User git | ||
| - | IdentityFile ~/.ssh/id_rsa_korg | + | IdentityFile ~/.ssh/id_korg |
| IdentitiesOnly yes | IdentitiesOnly yes | ||
| + | ClearAllForwardings yes | ||
| + | # We prefer ed25519 keys, but will fall back to others if your | ||
| + | # openssh client does not support that | ||
| + | HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa | ||
| + | # Below are very useful for speeding up repeat access | ||
| + | # and for 2-factor validating your sessions | ||
| + | ControlPath ~/.ssh/cm-%r@%h:%p | ||
| + | ControlMaster auto | ||
| + | ControlPersist 30m | ||
| + | # Helps behind some NAT-ing routers | ||
| + | ServerAliveInterval 60 | ||
| + | |||
| + | ===== If we used your PGP Authentication subkey ===== | ||
| + | |||
| + | If we found an Authentication (**[A]**) subkey on your PGP key, then we have set up your access to use that key, instead of creating new ssh private keys. This is what you need to do to configure your ssh client to use that subkey: | ||
| + | |||
| + | First, add the following to your ~/.gnupg/gpg-agent.conf: | ||
| + | |||
| + | enable-ssh-support | ||
| | | ||
| - | Host kup.kernel.org | + | Then, add this to your .bashrc: |
| - | User [username] | + | |
| - | IdentityFile ~/.ssh/id_rsa_korg | + | export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) |
| - | IdentitiesOnly yes | + | |
| + | You will need to kill the existing gpg-agent process and start a new login session for the changes to take effect: | ||
| + | |||
| + | $ killall gpg-agent | ||
| + | $ bash | ||
| + | $ ssh-add -L | ||
| + | |||
| + | The very first entry in the output should be the ssh public key derived from your PGP Auth subkey -- it should have "''cardno:XXXXXXXX''" at the end in the comment section. | ||
| + | |||
| + | Now add this to your .ssh/config: | ||
| + | |||
| + | Host gitolite.kernel.org | ||
| + | User git | ||
| + | ClearAllForwardings yes | ||
| + | # We prefer ed25519 keys, but will fall back to others if your | ||
| + | # openssh client does not support that | ||
| + | HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa | ||
| + | # Below are very useful for speeding up repeat access | ||
| + | # and for 2-factor validating your sessions | ||
| + | ControlPath ~/.ssh/cm-%r@%h:%p | ||
| + | ControlMaster auto | ||
| + | ControlPersist 30m | ||
| + | # Helps behind some NAT-ing routers | ||
| + | ServerAliveInterval 60 | ||
| + | |||
| + | ===== SSH host fingerprints ===== | ||
| + | |||
| + | Your kernel.org account grants you access to gitolite.kernel.org, which you will use both for accessing your git trees (see [[userdoc:gitolite]]) and for uploading tarball releases (see [[userdoc:kup]]). | ||
| + | |||
| + | ^ Key ^ MD5 Fingerprint ^ | ||
| + | ^ RSA | ''MD5:b1:33:44:9d:3f:77:59:14:f8:05:d7:33:5d:b1:40:7b'' | | ||
| + | ^ ECDSA | ''MD5:7c:a6:a2:e0:96:5f:e2:9a:9b:53:b6:41:29:66:f8:47'' | | ||
| + | ^ ED25519 | ''MD5:30:f1:e6:8f:ff:76:45:e7:5b:45:b0:bd:bd:ca:14:9c'' | | ||
| + | |||
| + | ^ Key ^ SHA256 Fingerprint ^ | ||
| + | ^ RSA | ''SHA256:S1b2ARCfjjhsPJeqbCwkG+2ukBPCApogEfRTkVqEj4g'' | | ||
| + | ^ ECDSA | ''SHA256:n5cYLTSXgZ97jR9DfOcFxHeHAt3BBqU89TpTQspqFxo'' | | ||
| + | ^ ED25519 | ''SHA256:KTfZsrwphTMpYOYr0Acfdk25gtg6zui3Oh8QOawAm5M'' | | ||
| + | |||
| + | Here they are in a PGP-signed file you can download: | ||
| + | |||
| + | <file txt fingerprints.txt.asc> | ||
| + | -----BEGIN PGP SIGNED MESSAGE----- | ||
| + | Hash: SHA256 | ||
| + | |||
| + | # ssh-keygen -E sha256 -lf <(ssh-keyscan gitolite.kernel.org) | ||
| + | 2048 SHA256:S1b2ARCfjjhsPJeqbCwkG+2ukBPCApogEfRTkVqEj4g gitolite.kernel.org (RSA) | ||
| + | 256 SHA256:n5cYLTSXgZ97jR9DfOcFxHeHAt3BBqU89TpTQspqFxo gitolite.kernel.org (ECDSA) | ||
| + | 256 SHA256:KTfZsrwphTMpYOYr0Acfdk25gtg6zui3Oh8QOawAm5M gitolite.kernel.org (ED25519) | ||
| + | |||
| + | # ssh-keygen -E md5 -lf <(ssh-keyscan gitolite.kernel.org) | ||
| + | 2048 MD5:b1:33:44:9d:3f:77:59:14:f8:05:d7:33:5d:b1:40:7b gitolite.kernel.org (RSA) | ||
| + | 256 MD5:7c:a6:a2:e0:96:5f:e2:9a:9b:53:b6:41:29:66:f8:47 gitolite.kernel.org (ECDSA) | ||
| + | 256 MD5:30:f1:e6:8f:ff:76:45:e7:5b:45:b0:bd:bd:ca:14:9c gitolite.kernel.org (ED25519) | ||
| + | -----BEGIN PGP SIGNATURE----- | ||
| + | Version: GnuPG v2 | ||
| + | iQIcBAEBCAAGBQJZEg1UAAoJEDS6uAr58ke44k0QAKQ2mdfN9aebDBmt4BpBcIHo | ||
| + | DFZ8CN9/NTzJz7ZuYuwkgeWj1Ah1wWEb36q7UojA5Iq7BxLjP1jpZZlRSaQnyTXV | ||
| + | 87/7DUcEshS3wasRatCJ+GhBtQ2WJAblVHs2BVpPffJT+KhwSM0vzhnME41ppWtJ | ||
| + | poZ/8UO1qlPZKjUutFeS7ogDC5te5BTEDAQuQLMUMgi1rzRYJvdIeIymgr0Hk4IA | ||
| + | 8Ss+7sH0vj5p0hd2tNS+FpGXQORnKb4VYWupsG7tJfVRloEBKFly8oOPGGR/nHxg | ||
| + | vWJQl2Nc+05Vf5ey0bKWBlWyhFuuPlxFMPdCPQCKQMrAhTTAbtYAk71kmaxJQH0P | ||
| + | QeE8u/qLS4GYaSktPhjh+vYFNlwqPQ3WDwye3mXZN35eUTXgQX0beJBEBWGLdQsH | ||
| + | UpBUnTB5U0mzA4uNCOh1yfqaGjwdFru/c2ivA6e59SRoijjJOSL2+PLw/pHXbCSQ | ||
| + | AIGo7ysfF4V2EDZ6A234NYaI1PTGPt+hLRBxkzOONUjxiIoDAuRcrTHFz9oAtnvA | ||
| + | Xy1CAxTLXpgeCjJEN2s0EQgrEFeB/GDOfWBq/Z3itGBo1UD5HvOuYAay/tLgVzur | ||
| + | 0/TTefeni1uFvl9kU3zsNiqm9YI2IaKPa4SMTmjEZSPlaTuuxApw5G1EBmCXexHS | ||
| + | YjQNG2ORVjiVyvdddWT9 | ||
| + | =Njcj | ||
| + | -----END PGP SIGNATURE----- | ||
| + | </file> | ||
userdoc/ssh_access.1402597619.txt.gz · Last modified: 2014-06-12 18:26 by korgadmin
Page Tools
