Corporate Git – ssh

August 28th, 2010
previoushomenext

Generating Keys for the ssh Client

Let’s say you’re Master Foo, and want to connect as user “git” to the machine described in the previous chapters, which we’ll call “bar.baz”.

You need a private/public key pair. You can give your public key to the whole world. They can encrypt stuff with it for you which, in turn, can be decoded only with your private key. So guard your private key with your life and, preferably, with a passphrase.

$ ssh-keygen

Accept the default location for the private key: ~/.ssh/id_rsa
When prompted for the passphrase, enter it twice. The passphrase actually encrypts your private key, so even if someone steals the file, he cannot use it.

When finished, your keys are saved in

~/.ssh/id_rsa
~/.ssh/id_rsa.pub

Logging in

Give your public key “id_rsa.pub” to the owner of the “bar.baz” box. If he trusts you, he’ll append it to “/home/git/.ssh/authorized_keys”. Once that done you can

$ ssh git@bar.baz

and after entering your private key’s passphrase, you’re logged in, and you can do whatever you want or, rather, whatever you’re allowed to. Done!

Using ssh-agent

Nearly. After a while, you’ll find find it cumbersome having to enter your passphrase every time you log in to “bar.baz”. Or every time you push or pull in git terms. But fear not, only believe!

The wise elders of OpenBSD have developed the ssh-agent to avoid this. You run your Cygwin session under its protection, and you’ll have to enter your passphrase just once at the start of your first bash after power-on. Add this to the system-wide /etc/profile

export SSH_AUTH_SOCK=/tmp/.ssh-socket

and the code below to your profile “~/.profile”. How it works is explained on Ovidiu Predescu’s excellent page. I’ve applied a minor fix. Find it!

# Start or connect to the ssh-agent
ssh-add -l >/dev/null 2>&1
if [ $? = 2 ]; then
  ssh-agent -a $SSH_AUTH_SOCK 2>/dev/null >/tmp/.ssh-script
  . /tmp/.ssh-script >/dev/null
  echo $SSH_AGENT_PID >/tmp/.ssh-agent-pid
  echo
  ssh-add
fi
# Command to stop the ssh-agent
function killssh {
  kill `cat /tmp/.ssh-agent-pid`
  rm -f /tmp/.ssh*
}

One more small gotcha: the outdated .ssh* files should be removed from /tmp during or after reboot, before starting the first Cygwin session. Preferably automatically.

Comments are closed.