User Tools

Site Tools


userdoc:ssh_access

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
userdoc:ssh_access [2017-05-11 16:49]
mricon
userdoc:ssh_access [2020-05-08 13:58] (current)
mricon
Line 1: Line 1:
 +~~REDIRECT>​https://​korg.docs.kernel.org/​access.html~~
 +
 ====== How to set up your ssh access ====== ====== How to set up your ssh access ======
  
-You should have received ​tarball containing the SSH private key to use for accessing your kernel.org ​account. Place that private key into your ''​~/​.ssh''​ directory, e.g.:+Setting up your ssh access will depend on whether you're using your PGP Auth subkey for ssh purposes or if you were issued ​a private key from kernel.org. ​
  
-  cp korg-username ~/.ssh/id_korg+===== If you received a ssh private key from kernel.org =====
  
-You can change ​the key passphrase using ''​ssh-keygen -p''​. ​**ALWAYS KEEP YOUR SSH KEY PROTECTED WITH A PASSPHRASE!**+Follow this procedure if you received an encrypted tarball containing ​the SSH private ​key to use for accessing your kernel.org account. Place that private key into your ''​~/.ssh'' ​directory, e.g.:
  
-===== SSH client configuration =====+  cp korg-username ~/​.ssh/​id_korg
  
-Your kernel.org account grants you access to gitolite.kernel.org,​ which you will use both  for accessing your git trees (see [[userdoc:​gitolite]]) and for uploading tarball releases (see [[userdoc:​kup]]). +You can change the automatically generated key passphrase using ''​ssh-keygen -p''​
- +
-^ Key     ^ MD5 Fingerprint ​                                        ^ +
-^ RSA     ​| ​''​MD5:​b1:​33:​44:​9d:​3f:​77:​59:​14:​f8:​05:​d7:​33:​5d:​b1:​40:​7b'' ​+
-^ ECDSA   | ''​MD5:​7c:​a6:​a2:​e0:​96:​5f:​e2:​9a:​9b:​53:​b6:​41:​29:​66:​f8:​47''​ | +
-^ ED25519 | ''​MD5:​30:​f1:​e6:​8f:​ff:​76:​45:​e7:​5b:​45:​b0:​bd:​bd:​ca:​14:​9c''​ | +
- +
-^ Key     ^ SHA256 Fingerprint ​                                    ^ +
-^ RSA     | ''​SHA256:​S1b2ARCfjjhsPJeqbCwkG+2ukBPCApogEfRTkVqEj4g''​ | +
-^ ECDSA   | ''​SHA256:​n5cYLTSXgZ97jR9DfOcFxHeHAt3BBqU89TpTQspqFxo''​ | +
-^ ED25519 | ''​SHA256:​KTfZsrwphTMpYOYr0Acfdk25gtg6zui3Oh8QOawAm5M''​ |+
  
 +**ALWAYS KEEP YOUR SSH KEY PROTECTED WITH A PASSPHRASE!**
  
 Add the following entries into your .ssh/​config:​ Add the following entries into your .ssh/​config:​
Line 37: Line 30:
     ControlMaster auto     ControlMaster auto
     ControlPersist 30m     ControlPersist 30m
 +    # Helps behind some NAT-ing routers
 +    ServerAliveInterval 60
 +
 +===== If we used your PGP Authentication subkey =====
 +
 +If we found an Authentication (**[A]**) subkey on your PGP key, then we have set up your access to use that key, instead of creating new ssh private keys. This is what you need to do to configure your ssh client to use that subkey:
 +
 +First, add the following to your ~/​.gnupg/​gpg-agent.conf:​
 +
 +  enable-ssh-support
 +  ​
 +Then, add this to your .bashrc:
 +
 +  export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
 +
 +You will need to kill the existing gpg-agent process and start a new login session for the changes to take effect:
 +
 +  $ killall gpg-agent
 +  $ bash
 +  $ ssh-add -L
 +  ​
 +The very first entry in the output should be the ssh public key derived from your PGP Auth subkey -- it should have "''​cardno:​XXXXXXXX''"​ at the end in the comment section.
 +
 +Now add this to your .ssh/​config:​
 +
 +  Host gitolite.kernel.org
 +    User git
 +    ClearAllForwardings yes
 +    # We prefer ed25519 keys, but will fall back to others if your
 +    # openssh client does not support that
 +    HostKeyAlgorithms ssh-ed25519,​ecdsa-sha2-nistp256,​ssh-rsa
 +    # Below are very useful for speeding up repeat access
 +    # and for 2-factor validating your sessions
 +    ControlPath ~/​.ssh/​cm-%r@%h:​%p
 +    ControlMaster auto
 +    ControlPersist 30m
 +    # Helps behind some NAT-ing routers
 +    ServerAliveInterval 60
 +
 +===== SSH host fingerprints =====
 +
 +Your kernel.org account grants you access to gitolite.kernel.org,​ which you will use both  for accessing your git trees (see [[userdoc:​gitolite]]) and for uploading tarball releases (see [[userdoc:​kup]]).
 +
 +^ Key     ^ MD5 Fingerprint ​                                        ^
 +^ RSA     | ''​MD5:​b1:​33:​44:​9d:​3f:​77:​59:​14:​f8:​05:​d7:​33:​5d:​b1:​40:​7b''​ |
 +^ ECDSA   | ''​MD5:​7c:​a6:​a2:​e0:​96:​5f:​e2:​9a:​9b:​53:​b6:​41:​29:​66:​f8:​47''​ |
 +^ ED25519 | ''​MD5:​30:​f1:​e6:​8f:​ff:​76:​45:​e7:​5b:​45:​b0:​bd:​bd:​ca:​14:​9c''​ |
 +
 +^ Key     ^ SHA256 Fingerprint ​                                    ^
 +^ RSA     | ''​SHA256:​S1b2ARCfjjhsPJeqbCwkG+2ukBPCApogEfRTkVqEj4g''​ |
 +^ ECDSA   | ''​SHA256:​n5cYLTSXgZ97jR9DfOcFxHeHAt3BBqU89TpTQspqFxo''​ |
 +^ ED25519 | ''​SHA256:​KTfZsrwphTMpYOYr0Acfdk25gtg6zui3Oh8QOawAm5M''​ |
  
-===== Signed host fingerprints =====+Here they are in a PGP-signed file you can download:
  
 <file txt fingerprints.txt.asc>​ <file txt fingerprints.txt.asc>​
userdoc/ssh_access.1494521390.txt.gz · Last modified: 2017-05-11 16:49 by mricon