Translation(s): English - ?Italiano


SSH access on alioth.debian.org (AKA svn.debian.org)

In many cases, you will have to login with SSH to alioth.debian.org (or one of its aliases like {svn,bzr,git,hg,darcs,arch}.debian.org), either to update the website of your project or to access associated VCS repositories. This page contains all the infos that you must know concerning your SSH access.

How to handle differing username

In many cases, your login on Alioth is not the same as your usual login (for example because of the -guest suffix). To avoid hardcoding your username everywhere, you can put this in your ~/.ssh/config:

Host svn.debian.org git.debian.org bzr.debian.org hg.debian.org darcs.debian.org arch.debian.org
    User my-alioth-username

With this setup, you can do ssh git.debian.org instead of ssh my-alioth-username@git.debian.org. It also avoids the need to hardcode your username in many VCS URLs.

Logging in for the first time

The first time that you login to a machine, your SSH client asks you to verify the fingerprint of the SSH public key of the Alioth host. If the fingerprint differs, you're not connecting to Alioth and you should immediately stop.

The fingerprints of Alioth's SSH host keys are the following (GPG signed):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

wagner.debian.org, aka alioth.debian.org:
2048 bd:9f:37:8a:92:2a:49:2a:1c:29:c1:fb:59:11:6c:8e /etc/ssh/ssh_host_rsa_key.pub (RSA)

vasks.debian.org, aka {git,bzr,svn,cvs,hg}.debian.org:
2048 8c:c0:b8:9f:0a:79:ee:1c:77:c4:b8:a1:70:55:b7:31 /etc/ssh/ssh_host_rsa_key.pub (RSA)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJN4UTxAAoJELZaSHHKGdcXIRgP+wV/PlFizOrKtAJ+DoWGQmM1
RBeV/CX1NezCGsFn1ApVSreJWVrIQmsbfsFFFl78H0briuRaQG0tD88TE8JxzqJI
ZO4MwlfGTf+KV3JeEsFtr9ku4OuqfxwUxYC5lAc5EOb61E3zSIsskdU3RnKvINhj
hqBPZrUtoGUTgvaYtlcNsphmM6YkYEjAVdWN0+YNdhdrMbYCTZ9wd9BtXRz+dvkC
H+O6QeP7E/xTgyN5BBzFFLvIiQZjWr5zjrtqoazRq0AChkkhUUyxSVJHkDPPbOlA
4hxK5qbVrBrfAUrxWxzvult0c3wVVrdFSVN0qVO+0CMABdLKVHIa0QKZb7O4AgfV
KhUKRy9UjZ/Z7/giyD36eHkQajFrgS8v83QH9igRh1+02zzo2zrXd0F7uRU/CagZ
261hHrjn1nXvxpeghhf5soM9fsrHM38C+ztZfOpPd+N8McN1lzlL5vmxlPPhureI
c/RjBbadYARb5jEc9IDIpBclu0R7xXL0sBZ+DV/VILn43NGTTsQaoCr93Cisaign
7WTZnTCt2PEJ6nHgXPs2v34GeLmdsk78UqEjTkuZ0SKSbUaIsPY70l5u7JeXcarf
SBwDK0x3AugHY5sN+MNlb33udc+M7+N+jXx7MPjCzNNYSwuciDTUbNbjiMU3mK99
cTvvSw232Weme4m4JLge
=+0+3
-----END PGP SIGNATURE-----

Installing SSH keys

Alioth does not allow password authentication via SSH. You need to authenticate with your own SSH public/private keys. Currently only RSA keys are allowed.

To generate an SSH key pair on your computer, you execute ssh-keygen -t rsa and type a pass-phrase to secure the private key. The public key will be stored in ~/.ssh/id_rsa.pub and it's the content of that file that you'll have to paste in the Gforge form mentioned below.

Gforge stores the SSH keys in its database and automatically generates the file ~/.ssh/authorized_keys for you. Thus if you want to add your own SSH key, you have to use the dedicated web page: https://alioth.debian.org/account/editsshkeys.php

Any manually created ~/.ssh/authorized_keys file will be automatically deleted every hour.

I'm unable to Connect via SSH, ...

... and I've only recently been added to a project

You will need to wait 24 hours - this is the current administrative turnover. You have to be a member of at least one project to be able to login via ssh. https://alioth.debian.org/users/<my-username> shows the projects you are member of, if any.

... and I've only recently added my SSH public key to Alioth

You will need to wait upto an hour; the processing of your key is carried out by an hourly cron-job.

... but Alioth responds to pings

Alioth has fail2ban installed. This will block your SSH access for 10 minutes after 3 login failures logged by SSH. That includes cases where your SSH client tries to connect with a key that's not registered in your account, even if the correct key is sent afterwards. The fix is simple, modify your ~/.ssh/config to send only the right key.

Host svn.debian.org git.debian.org bzr.debian.org hg.debian.org darcs.debian.org arch.debian.org
    IdentityFile ~/.ssh/id_alioth

Of course, you should replace ~/.ssh/id_alioth by the filename of the private key whose public counterpart you registered in Alioth. Debian developers should use their standard Debian keys (to be configured via db.debian.org).

The hosts master.debian.org and ravel.debian.org are whitelisted in the fail2ban config of Alioth. For debugging purpose you can try the following stanza in your ~/.ssh/config:

Host svn.debian.org git.debian.org bzr.debian.org hg.debian.org darcs.debian.org arch.debian.org
    ProxyCommand ssh master.debian.org nc -q0 %h %p

Question: What do I do when my key comes in via ssh-agent? I cannot tell ssh-client to only offer a certain key for a host, can I? Why is fail2ban used in the first place when password authentication is disabled?

Answer: Set ?IdentitiesOnly yes in your ssh stanza for alioth.

Good practices of SSH usage

You must read this: http://lackof.org/taggart/hacking/ssh/

This document sums up many good practices that regular SSH users should follow in order to avoid compromising the security of their accounts (and of the whole machine at the same time).

External links


?CategoryAlioth