[SGVLUG] SSH Keys / Trusted Authentication

Claude Felizardo cafelizardo at gmail.com
Wed May 3 18:55:17 PDT 2006 

On 5/3/06, Sean O'Donnell <sodonnell at childrensoncologygroup.org> wrote:
>
> I'm having issues getting our CVS server to 'trust' my workstation when
> logging in via SSH.

What exactly do you mean by "trust"?  What kind of errors are you getting?


> A few months back, I had this all set up properly, and all was well. I
> was able to login to the CVS Server via SSH w/out having to type my
> password, cool.
>
> This makes my life MUCH easier when working w/ our cvs-centric
> staging/production environment, and pushing files from dev to qa, or qa
> to production, as well as the cvs tagging procedures that occur in the
> process.
>
> This tag/push process usually prompts for a password about 3-6 times,
> depending on which push is occuring.

So just to be clear here, you mean once you got ssh keys working, you
weren't having to enter your password each time?


> It all worked fine until I had to change my local gid so that I could
> access the NFS server, which was very similar to the recent thread by
> Claude.
>
> I ended up changing my gid throughout my local workstation, which was a
> bit of a pain @ 1st, but everything worked out ok. Well, except for the
> SSH Keys / Trust issue.

yuppers, i elected to do the same.   Changed both my linux uid and gid
to match my solaris uid but my solaris gid is 25!   Looking at
/etc/group on my linux box, 25 is not in use by 24 is utmp and the
next is usb at 43.  Does anyone know what kind of problem I may run
into if I change my linux gid to 25?

Changing my id's in my home directory didn't take too long, changing
180 days worth of rsnapshot backups took hours.  Hopefully I won't
need to retrieve a file from any of the other backups.


> Now, my uid and gid are the same on both (err, all) systems here. The
> servers use LDAP to synchronously manage user accounts, but our
> workstations do not. We admin our own workstations essentially, due to
> our stereotypical lazy/slacker admin, who is no longer here.

your uid and gid are the same or do you mean your Linux uid matches
your Solaris uid and your Linux gid matches your Solaris gid?   I
believe most Linux distros now create a dedicated group id that
matches your user id since this makes it easier to manage group
access.  On traditional unixes like Solaris, they typically assign you
to an existing group.    Currently my linux gid does not match my
solaris gid and this is causing some problems.

one of the suggestions i got was to set the setgid bit on my
directories so that whenever i create a file (or directory), the group
permission will be of the parent directory.   i'm considering this as
a work around so i don't have to redo my gid on my linux box yet
again.


> Since it started having troubles after the gid change, I figured that I
> simply needed to re-generate the keys, and re-upload my public keys to
> the remote ssh server (cvsserv), which I did, and still no luck. =(

I don't think the uid/gid change should have affected your ssh.

> I spent a few hours on this w/ our (newly departed) sysadmin that day,
> and his final response was 'I don't know, wtf!?!?'.
>
> Anyhow, here are the commands used for this...
>
> ---
>
> # mylocalhost commands
> mkdir .ssh
> cd ~/.ssh
> ssh-keygen -t rsa1
> ssh-keygen -t rsa
> ssh-keygen -t dsa
> ssh cvsserv
>
> ---
>
> # cvsserv commands
> mkdir .ssh
> cd .ssh
> scp mylocalhost:~/.ssh/*.pub .
> cat identity.pub >> authorized_keys
> cat id_dsa.pub id_rsa.pub >> authorized_keys2
> chmod 644 authorized_keys*
> rm *.pub
> logout
>
> ---
>
> This is the same exact process that I used when I had set it up
> originally (with my old gid), and it worked fine back then.
>
> After looking @ the /etc/passwd files on both systems, I noticed a
> slight difference in 1 area...
>
> # mylocalhost:/etc/passswd
> myid:x:5050:5050:myid:/home/myid:/bin/bash
>
> # cvsserv:/etc/passwd
> myid:x:5050:5050::/home/myid:/bin/bash
>
> However, I assume that missing field is simply for the 'comment' (ie:
> useradd -c comment), so that wouldn't cause the problem, or??

Looks like the comment field every where I've looked.


> Anyhow, any input would be much appreciated. *EOD*
>
> Thanks,
>
> Sean O'Donnell

something else could have changed.  Have you tried logging in via ssh
with verbose mode to see if there are any warnings or errors?

btw, I've been playing with lincvs which is a gui fronend for cvs that
supports ssh.  does pretty side-by-side diffs with various cvs
revisions.  check it out.

claude

More information about the SGVLUG mailing list