SSH access on alioth.debian.org

In many cases, you will have to login with SSH to alioth.debian.org (or one of its aliases like {svn,bzr,git,hg,darcs,arch}.debian.org), either to update the website of your project or to access associated VCS repositories. This page contains all the infos that you must know concerning your SSH access.

How to handle differing username

In many cases, your login on Alioth is not the same as your usual login (for example because of the -guest suffix). To avoid hardcoding your username everywhere, you can put this in your ~/.ssh/config:

Host alioth.debian.org svn.debian.org git.debian.org bzr.debian.org hg.debian.org darcs.debian.org arch.debian.org
    User my-alioth-username

With this setup, you can do ssh alioth.debian.org instead of ssh my-alioth-username@alioth.debian.org. It also avoids the need to hardcode your username in many VCS URLs.

Logging in for the first time

The first time that you login to a machine, your SSH client asks you to verify the fingerprint of the SSH public key of the Alioth host. If the fingerprint differs, you're not connecting to Alioth and you should immediately stop.

The fingerprints of Alioth's SSH host key is the following (GPG signed):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

2048 99:11:ed:30:03:41:ff:9f:f3:74:bd:7d:e1:8f:04:44 ssh_host_rsa_key.pub
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iD8DBQFIKaRyvPbGD26BadIRApRXAJ4iuPNcuNRH5IUvD8v64Toc7qeevgCfbwWG
kmF6B1na/DcV6rmMEB6RUiE=
=ZQnq
-----END PGP SIGNATURE-----

Installing SSH keys

If you need to connect frequently to Alioth, you should consider authenticating with your own SSH public/private keys (instead of an account password).

To generate an SSH key pair on your computer, you execute ssh-keygen -t rsa and type a pass-phrase to secure the private key. The public key will be stored in ~/.ssh/id_rsa.pub and it's the content of that file that you'll have to paste in the Gforge form mentioned below.

Gforge stores the SSH keys in its database and automatically generates the file ~/.ssh/authorized_keys for you. Thus if you want to add your own SSH key, you have to use the dedicated web page: https://alioth.debian.org/account/editsshkeys.php

Any manually created ~/.ssh/authorized_keys file will be automatically deleted every hour.

I'm unable to connect to SSH, but Alioth responds to pings

Alioth has fail2ban installed. This will block your SSH access for 10 minutes after 3 login failures logged by SSH. That includes cases where your SSH client tries to connect with a key that's not registered in your account, even if the correct key is sent afterwards. The fix is simple, modify your ~/.ssh/config to send only the right key.

Host alioth.debian.org svn.debian.org git.debian.org bzr.debian.org hg.debian.org darcs.debian.org arch.debian.org
    IdentityFile ~/.ssh/id_alioth

Of course, you should replace ~/.ssh/id_alioth by the filename of the private key whose public counterpart you registered in Alioth. Debian developers should use their standard Debian keys (to be configured via db.debian.org).

Good practices of SSH usage

You must read this: http://lackof.org/taggart/hacking/ssh/

This document sums up many good practices that regular SSH users should follow in order to avoid compromising the security of their accounts (and of the whole machine at the same time).


?CategoryAlioth