Bazaar

Merge lp:~adam-delvecchio/bzr/662448-sshkey-doc into lp:bzr

  1. 662448-sshkey-doc
  2. Merge into bzr.dev
Proposed by Adam Del Vecchio
Status: Work in progress
Proposed branch: lp:~adam-delvecchio/bzr/662448-sshkey-doc
Merge into: lp:bzr
Diff against target: 113 lines (+109/-0)
1 file modified
doc/en/user-guide/ssh_keys.txt (+109/-0)
To merge this branch: bzr merge lp:~adam-delvecchio/bzr/662448-sshkey-doc
Reviewer Review Type Date Requested Status
Martin Pool Needs Fixing
Review via email: mp+38682@code.launchpad.net

Description of the change

Fixed bug #662448

To post a comment you must log in.
Revision history for this message
Martin Pool (mbp) wrote :

Thanks!

The ReST markup is a bit wrong: in the wiki the headings have bars next to them whereas in rest they need an underline of the same length as the heading. Example terminal output or files should have a :: on the preceding line; inline examples should be in ``double backticks``. See http://docutils.sourceforge.net/docs/user/rst/quickref.html

Perhaps there are a few more points to make in the introduction:

 * you can authenticate over ssh by a key pair or by a password (or potentially by other mechanisms); the server chooses what it will accept
 * an ssh key is an assymetric key: there is a 'public' part you put on the server and a private part you keep

I think that using a master connection, while really useful to document, is not normally what people want and describing it first may cause counfusion?

+
+In some cases, ssh may refuse to work if your public key is in your ~/.ssh directory.
+
+ mv ~/.ssh/id_rsa.pub ~/id_rsa.pub
+should fix the problem.

I guess that's on the wiki page but I can't imagine why it would work and it seems like a kind of random suggestion.

s/exxe/exe

review: Needs Fixing
Reply
Revision history for this message
Martin Pool (mbp) wrote :

oh, also this probably needs to be mentioned in 'index.txt' to be included within the manual

Reply
Revision history for this message
Adam Del Vecchio (adam-delvecchio) wrote :

I will fix and re-commit :)

Also, as to the random suggestion, it works (in my experience), merely because on some servers (I've seen it at least twice), ssh doesn't like the public key in the same directory as the private key. Its mentioned a few times in various mailing lists and documents around the web, I believe :)

Reply
Revision history for this message
Martin Pool (mbp) wrote :

Hi, I just wanted to check this wasn't blocked on anything. If you'd like me to finish it off, just let me know.

Reply
Revision history for this message
Vincent Ladeuil (vila) wrote :

@Adam: Do you need help here (just say so :) ?

Also, I think we need you to execute the Canonical's Contributor Agreement: <http://www.canonical.com/contributors>.

Reply

Unmerged revisions

5505. By Adam Del Vecchio

Fixed bug #662448, added an ssh_keys help document

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'doc/en/user-guide/ssh_keys.txt'
2--- doc/en/user-guide/ssh_keys.txt 1970-01-01 00:00:00 +0000
3+++ doc/en/user-guide/ssh_keys.txt 2010-10-18 02:54:42 +0000
4@@ -0,0 +1,109 @@
5+bzr with SSH keys
6+=================
7+
8+It is commonly wanted to prevent the need to enter a password for Bazaar
9+commands when using bzr+ssh:// or sftp:// transports. On Unix (and derivatives),
10+bzr has the ability to use the same settings as the installed 'ssh' client. Thus,
11+using bzr+ssh:// or sftp:// transports to access a remote branch follows the same
12+procedure as for setting up authorization for a shell login.
13+
14+There are 2 ways to configure SSH to not use a password.
15+|* 1. Use a master connection, preventing the need for a password after an initial ssh
16+session has been created.
17+|* 2. Authenticating with a public/private key pair.
18+
19+Unix, Linux, and OS X
20+------
21+
22+--Using a Master Connection--
23+
24+Before you can use a master connection you will need to configure your client so that it knows how to communicate with the master connection. This is done by specifying the path to a socket that will be used for communication purposes. Add the following lines to the ~/.ssh/config file (or create the file if it does not exist):
25+
26+ # Where to find the control path, if we have one
27+ Host *
28+ ControlPath ~/.ssh/master-%r@%h:%p
29+
30+You can then open a master connection to the server using the -M option:
31+
32+
33+ ssh -M user@host.com
34+As long as this master connection is not closed (i.e you do not exit the shell) you will be able to login to the machine without a password. It is also possible to configure ssh such that it always opens a master connection if there isn't already one open. This means you do not even need to pass the -M option to ssh. To do this add the following option to ~/.ssh/config:
35+
36+
37+ ControlMaster auto
38+
39+--Using public/private key pairs--
40+
41+---Generating a key---
42+If you have not previously generated a public/private key pair, you can use 'ssh-keygen' to do so for the first time.
43+
44+ $ ssh-keygen -t rsa
45+ Generating public/private rsa key pair.
46+ Enter file in which to save the key (/home/example/.ssh/id_rsa):
47+ Enter passphrase (empty for no passphrase):
48+ Enter same passphrase again:
49+ Your identification has been saved in /home/example/.ssh/id_rsa.
50+ Your public key has been saved in /home/example/.ssh/id_rsa.pub.
51+ The key fingerprint is:
52+ 49:c7:90:63:82:34:be:94:d5:ce:c9:ec:15:e7:06:c8 example@localhost
53+
54+Your public/private keypair is now generated. Your private key should not be distributed.
55+We will use your public key to prove your identity.
56+
57+---Uploading your public key---
58+If the ssh-copy-id command is installed then using that is the easiest way to upload your key to the server. You just need to enter:
59+
60+
61+ ssh-copy-id user@example.com
62+If this command is not installed then you can also upload the key manually:
63+
64+Log into the host containing the remote branch.
65+On the remote host, edit the file ~/.ssh/authorized_keys.
66+Each line of this file contains the public half of the public/private key pair which is authorized to log in.
67+Use a text editor to copy the contents of your local /home/example/.ssh/id_rsa.pub to the ~/.ssh/authorized_keys file on the remote server. Ensure that there are no line breaks, the key must all be on a single line. Save the file.
68+Test that your client is now authorized by logging in again via ssh to the account. Assuming that works, you should now be able to use bzr+ssh:// and sftp:// to access branches on the remote host without requiring a password.
69+
70+Thats it!
71+
72+---Troubleshooting---
73+
74+In some cases, ssh may refuse to work if your public key is in your ~/.ssh directory.
75+
76+ mv ~/.ssh/id_rsa.pub ~/id_rsa.pub
77+should fix the problem.
78+
79+Windows
80+-------
81+
82+Like Unix, on Windows in order to avoid having to enter a password with the bzr+ssh:// and sftp:// transports you must create a public/private key pair and add it to the authorized_keys file on the remote server.
83+
84+However, configuring bzr to find and use the correct key pair can be done in different ways, and may be slightly more complicated than on Unix. The following instructions assume that you used the standalone Windows installer, not the Python-based installer.
85+
86+--Using the Unix way--
87+On many Windows systems you can use a method analogous to what is described above for Unix systems. To generate the key pair, either use the ssh-keygen tool from a nearby Unix machine or install Cygwin on your Windows machine to provide ssh-keygen locally.
88+
89+Edit the ~/.ssh/authorized_keys file on the server just as described for Unix. Then add the id_rsa file to your Windows account the same way as is done in Unix, by:
90+
91+locate your home directory (something like C:\Documents and Settings\<username> on Windows XP and below, or C:\Users\<username>\ on Windows Vista and higher, and is usually pointed out by the environment variables %HOMEDRIVE%\%HOMEPATH% or %USERPROFILE%)
92+if needed, create a ".ssh" sub-directory in the home directory (Windows Explorer may complain about names starting with ".", use a command prompt instead [mkdir "C:\Users\<username>\.ssh"] or [mkdir "C:\Documents and Settings\<username>\.ssh"])
93+add the private key file id_rsa to the .ssh directory
94+All done!
95+
96+--Using Puttygen and Pageant--
97+If for some reason the above does not work for you, Bzr is capable of using pageant to be provided with the public/private key pair.
98+
99+Putty.exxe and pageant.exe can be downloaded from [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html].
100+
101+Run puttygen.exe. Push "Generate" and follow the instructions. Select "Save public key" and save the key to a file, and do the same for "Save private key".
102+
103+Run pageant.exe. This will create an icon in the system tray of a computer with a hat (?) on it. Click on that icon. This will open a window titled "Pageant Key List". Select "Add Key". It will then prompt you for a private key file, which should be the key you generated and saved in the previous step.
104+
105+Now log in to the remote host.
106+
107+On the remote host, edit the file ~/.ssh/authorized_keys. Each line of this file contains the public key half of the key pair which is authorized to log in.
108+
109+Use a text editor to copy the contents of the public key you just generated (which can be copy-and-pasted from puttygen, or from the contents of the public key file you saved) to the ~/.ssh/authorized_keys file on the remote server. Ensure that there are no line breaks, the key must all be on a single line. Save the file.
110+
111+Test that your client is now authorized by logging in again via ssh (using PuTTY) to the account. Assuming that works, you should now be able to use bzr+ssh:// and sftp:// to access branches on the remote host without requiring a password.
112+
113+