ssh guidelines

ssh offers a secure means of interacting with sourceforge services (e.g., providing a secure channel for CVS operations etc.) it is recommended that you read through the ssh documentation available on the sourceforge project site and that you have a good working knowledge of ssh concepts.

what follows is a brief description of how ssh can be configured for use with CVS operations. it is intended merely as an example to help you get started - it is up to you to read ssh documentation for your implementation for a more complete understanding. this example assumes the bash shell along with the client installation of OpenSSH.

creating a sourceforge identity

ssh supports a variety of authentication mechanisms though the most commonly supported are password and public key based methods. the simplest password based scheme is to use the native password authentication mechanism on the remote host (in our case the account on the CVS server). generally speaking, however, the public key mechanism is considered more secure and flexible and is relatively straightforward to implement.

the first step to implementing the public key mechanism is to generate an identity. an identity is a public/private key pair that binds your local account with your sourceforge developer account. you can generate an identity using the sourceforge instructions. for our example the following command creates an RSA key pair identity:

using the -f option as above generates the private key "rapple" along with the corresponding public key "rapple.pub". both keys can be stored in your "~/.ssh" directory which should have perms "700". in general the private key, which should be passphrase protected and should never be revealed to anyone, should be protected with perms "600" and the public key, which can be distributed to anyone, with perms "644". most ssh implementations are very picky about file permissions and will not authenticate if you fail to protect your keys adequately.

as a general rule it is a good idea to maintain multiple identities for added security (e.g., the above identity should be used exclusively for your sourceforge activities). additional identities are created by invoking "ssh-keygen" with different "-f" options and could be used to connect to other servers that you might use.

the next step is to make your public key known to the sourceforge server. to do so login into my sf.net and select Account Options. under Host Access Information you will find an Edit SSH Keys for Shell/CVS link. carefully copy the contents of your public key file (i.e., rapple.pub) into the input box provided ensuring that you follow the instructions provided on that page. please note that there is a sync delay when using this method.

client configuration

since it is likely that you will use more than one identity (e.g., for other servers to which you connect) it is a good idea to configure your client appropriately. the following entry in "~/.ssh/config" ensures a certain amount of transparency when using SSH where <username> is your sourceforge account name:

once configured you can issue CVS commands from within your CVS directories at which point you will be prompted for your private key passphrase (if you are prompted for your sourceforge account then public key authentication has failed and you will need to troubleshoot your configuration).

using an SSH agent

after a while it becomes tiresome to have to enter your passphrase every time you perform a CVS operation. to ensure convenient and secure passage of this information to the SSH server you can use a local SSH agent which will prompt you once for your passphrase and then keep your private key safe in memory for future reference. the "subshell method" of invoking "ssh-agent" spawns a subshell setting the appropriate environment variables. to function correctly you must pass it your working shell (usually stored in the $SHELL environment variable) during login. the best way to invoke the subshell method is to add the following line to the end of your "~/.bash_profile" or equivalent file:

you should, of course, ensure that the absolute path is correct for your system and that the $SHELL variable is already set (invoking ssh-agent without an argument causes it to be run in the background and SSH clients cannot contact it!) with the agent running you need to add your private key to its memory with the following command:

at which point you will be prompted for your passphrase. to confirm that the private key has been loaded simply issue the following command:

now that your private key has been loaded you can access sourceforge CVS services safely and you will not be prompted for either your sourceforge password or your private key passphrase when you perform CVS operations. you can remove your identity from the agent at any point by issuing the following command:

as already stated this brief description is intended to help you get started using SSH - please consult the documentation for your SSH implementation for more detailed information.