ssh offers a secure means of interacting with sourceforge
services (e.g., providing a secure channel for CVS operations etc.)
it is recommended that you read through the ssh documentation
available on the sourceforge project site and that you have a good
working knowledge of ssh concepts.
what follows is a brief description of how ssh can be configured
for use with CVS operations. it is intended merely as an example to
help you get started - it is up to you to read ssh documentation
for your implementation for a more complete understanding. this
example assumes the bash shell along with the client installation
creating a sourceforge identity
ssh supports a variety of authentication mechanisms though the
most commonly supported are password and public key based methods.
the simplest password based scheme is to use the native password
authentication mechanism on the remote host (in our case the
account on the CVS server). generally speaking, however, the public
key mechanism is considered more secure and flexible and is
relatively straightforward to implement.
the first step to implementing the public key mechanism is to
generate an identity. an identity is a public/private key pair that
binds your local account with your sourceforge developer account.
you can generate an identity using the
sourceforge instructions. for our example the following command
creates an RSA key pair identity:
ssh-keygen -t rsa -f rapple -C"sourceforge rapple
using the -f option as above generates the private key "rapple"
along with the corresponding public key "rapple.pub". both keys can
be stored in your "~/.ssh" directory which should have perms "700".
in general the private key, which should be passphrase protected
and should never be revealed to anyone, should be protected with
perms "600" and the public key, which can be distributed to anyone,
with perms "644". most ssh implementations are very picky about
file permissions and will not authenticate if you fail to protect
your keys adequately.
as a general rule it is a good idea to maintain multiple
identities for added security (e.g., the above identity should be
used exclusively for your sourceforge activities). additional
identities are created by invoking "ssh-keygen" with different "-f"
options and could be used to connect to other servers that you
the next step is to make your public key known to the
sourceforge server. to do so login into my sf.net and select
Account Options. under Host Access Information you
will find an Edit SSH Keys for Shell/CVS link. carefully
copy the contents of your public key file (i.e., rapple.pub) into
the input box provided ensuring that you follow the instructions
provided on that page. please note that there is a
sync delay when using this method.
since it is likely that you will use more than one identity
(e.g., for other servers to which you connect) it is a good idea to
configure your client appropriately. the following entry in
"~/.ssh/config" ensures a certain amount of transparency when using
SSH where <username> is your sourceforge account name:
once configured you can issue CVS commands from within your CVS
directories at which point you will be prompted for your private
key passphrase (if you are prompted for your sourceforge account
then public key authentication has failed and you will need to
troubleshoot your configuration).
using an SSH agent
after a while it becomes tiresome to have to enter your
passphrase every time you perform a CVS operation. to ensure
convenient and secure passage of this information to the SSH server
you can use a local SSH agent which will prompt you once for your
passphrase and then keep your private key safe in memory for future
reference. the "subshell method" of invoking "ssh-agent" spawns a
subshell setting the appropriate environment variables. to function
correctly you must pass it your working shell (usually stored in
the $SHELL environment variable) during login. the best way
to invoke the subshell method is to add the following line to the
end of your "~/.bash_profile" or equivalent file:
you should, of course, ensure that the absolute path is correct
for your system and that the $SHELL variable is already set
(invoking ssh-agent without an argument causes it to be run in the
background and SSH clients cannot contact it!) with the agent
running you need to add your private key to its memory with the
at which point you will be prompted for your passphrase. to
confirm that the private key has been loaded simply issue the
now that your private key has been loaded you can access
sourceforge CVS services safely and you will not be prompted for
either your sourceforge password or your private key passphrase
when you perform CVS operations. you can remove your identity from
the agent at any point by issuing the following command:
ssh-add -d ~/.ssh/rapple
as already stated this brief description is intended to help you
get started using SSH - please consult the documentation for your
SSH implementation for more detailed information.