Development/Basic SSH Configuration
From Mandriva Community Wiki
Contents |
Following these instructions (including modifying SSH config and setting up an agent) is important, because, at the current state of art, Mandriva build tools expect that you can log in to kenobi and access svn without interactive password input or specifying your user name.
Creating an SSH key
First thing you'll need to do is create an RSA SSH authentication key, to do so you'll need to run the ssh-keygen command, (you'll need to install the openssh package if it's not installed). Running ssh-keygen will generate two files:
- ~/.ssh/id_rsa, which contains the protocol version 2 RSA authentication identity of the user.
- ~/.ssh/id_rsa.pub, which contains the protocol version 2 RSA public key for authentication; (this is the file you should attach to the ticket you open at Mandriva's bugzilla when you apply for a maintainer's account).
When generating an ssh key you'll be asked if you want to use a passphrase, this is preferable. Be aware that there's no way to recover a lost passphrase, so make sure to select one that's both strong and easily remembered for you.
The ~/.ssh/id_rsa file mustn't be readable for other users, as it'll be ignored if this condition isn't satisfied.
For more information check the man page of ssh-keygen.
How it works
After you create an ssh key and your maintainer's account is set up on the build cluster, you can use ssh to access any of the build hosts.
Typically there should be an ssh-agent running. ssh-agent is a program to hold private keys used for public key authentication. It's started at login.
If you're running GNOME
In GNOME ssh keys are handled by gnome-keyring, which is installed by default.
If you're running KDE4
The easiest way is to install the keychain package. Then simply create ~/.keychain, then open a terminal, you'll be asked for your ssh key passphrase. You'll only need to enter the passphrase once, because after the first time your ssh key will be added to the running ssh-agent. (This will survive a log out > log in, but not a reboot).
Editing ~/.ssh/config and SSH agent forwarding
Now, to complete the process, you need to edit ~/.ssh/config on your local machine with any text editor (create it if it doesn't exist), and add the following to it:
Host kenobi kenobi.mandriva.com
HostName kenobi.mandriva.com
ForwardAgent yes
User <the user name of your cluster account>
Host svn.mandriva.com
User <the user name of your cluster account>
then save the file.
ForwardAgent yes will enable SSH agent forwarding, from the ssh_config man page:
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.
If you don't want to use agent forwarding, an other solution is to create an ssh key pair on the cluster, and ask an admin to have it added to your authorized_keys file.
Now to start an ssh session use the following command: ssh kenobi
Once you're logged on kenobi you can access any of the build nodes, e.g.: ssh n5 and from there to any other build node e.g.: ssh celeste
How to access a build node directly
To make things faster, instead of logging in to kenobi first then to one of the build nodes you can use one of the following methods:
- Use a command like this:
- ssh kenobi -t ssh klodia
- (replace klodia with any other build node)
- Edit ~/.ssh/config and add the following to it:
Host n2 n3 n4 n7 n8 n9 n10
ProxyCommand ssh -qax kenobi.mandriva.com /usr/bin/nc %h %p
ForwardAgent yes
User <the user name of your cluster account>
After that you can use e.g.:
- ssh n3
- ssh n9
to log in directly to the build node you want.
