Back to Support 

Gitolite SSH Setup

Note, that this is only required for performing a git push directly to codeaurora.org (some projects push to *.codeaurora.org systems via a service account).  If you only need to perform read-only operations, you should use http-based access to repositories (both public and private).

Create SSH key on Linux

SSH keys offer a highly secure way of logging into a server and are best practice for authentication, allowing more security than a simple password.  SSH keys are tied to your identity (your email used on CAF) so you will need to ensure you have created or submitted SSH keys that match your identity. 

  • To create a key-pair, run ssh-keygen with the -t option. The -t option specifies which crypto system you want the key to use. The valid options are "rsa", "dsa". In this example, we have elected to use RSA authentication with keys that are 2048 bits or greater:

      $ ssh-keygen -t rsa -b 2048
      Generating public/private rsa key pair

  • Next you will be prompted for a passphrase, which is used to encrypt the private key. After you enter the passphrase you will be asked to verify it.

      Enter file in which to save the key (/home/sshuser/.ssh/id_rsa):
      Enter passphrase (empty for no passphrase): **********************
      Enter same passphrase again: **********************

  • If the two passphrases do not match, you will be given an error message and asked to enter the passphrases in again, as shown below.

      Passphrases do not match. Try again.
      Enter passphrase (empty for no passphrase): **********************
      Enter same passphrase again: **********************

  • Once the passphrases match, ssh-keygen will display a message indicated where the public and private keys will be saved.

      Your identification has been saved in /home/sshuser/.ssh/id_rsa.
         Your public key has been saved in /home/sshuser/.ssh/id_rsa.pub.
         The key fingerprint is:
         9a:7a:87:33:14:d2:12:72:7c:3f:ea:54:a4:2e:b6:ba sshuser@server.example.com

Configure SSH client settings

  • Edit your ssh client configuration, such that ssh requests to git.codeaurora.org are sent over port 9222 (if your site filters port 22). This is accomplished by creating or modifying /home/<sshuser>/.ssh/config file with the following values.
Host *.codeaurora.org
 IdentityFile ~/.ssh/id_rsa  # (The path to the private key you generated, such as: /home/<sshuser>/.ssh/id_rsa)
 User git
 Port 9222 # Optional: Can be used if a firewall is blocking port 22
 ControlPath ~/.ssh/%r@%h:%p
 ControlMaster auto
 ControlPersist 30m
  • Check that the file permissions are set properly on /home/<sshuser>/.ssh/config.  You can set the correct permissions by running the following command:
chmod 0700 ~/.ssh
chmod 0600 ~/.ssh/config
  • Check alternate ports:

To check if port 22 is open:
ssh -p 22 git@git.codeaurora.org info <CAF_area>/<CAF_shortname>/<CAF_repository>

To check if port 9222 is open:
ssh -p 9222 git@git.codeaurora.org info <CAF_area>/<CAF_shortname>/<CAF_repository>

Update /home/<sshuser>/.ssh/config with the port that succeeded in the above commands.

Submitting your SSH key to CAF

You must generate your SSH public/private key, pair and upload the public key to your Developer account. SSH keys are tied to your identity (your email used on CAF) so you will need to ensure you have created or submitted SSH keys that match your identity in order to validate your access permissions.  CAF only supports 1 SSH key per user.

  Keys less than 2048 bits in length will not be accepted for security reasons.

  1. Create a new support request on the CAF service desk under "Project write access".
  2. Paste your full ssh PUBLIC key in the "SSH Key" field.
  3. Fill out other fields and submit the request.

  Once we verify with the project administrators that you should have access, we will grant it.

Updating/Changing your SSH key

CAF only supports one SSH key per user. To change your SSH key on file, create a new support request on the CAF service desk under "Project write access" and specify in the description that it is a key replacement request.

Before accessing with the new key, ITPeople will need to update your keys permissions.  When complete, ITPeople will respond to the ticket to notify that access has been enabled with the new key.

Validate SSH key stored on CAF

You can use ssh-keygen to validate your public key matches what is uploaded on CAF.  For example if your SSH keys are in your home directory ~/.ssh/ directory you would run.

 ssh-keygen -l -f ~/.ssh/id_rsa.pub -E md5

This will return your SSH public key fingerprint and you can validate it matches your public key fingerprint.

Also if you can run the following command to get extra ssh debug information:

 $ ssh -T -v gitolite3@git.codeaurora.org

SSH Servers

Beginning April 14, 2018 at 10AM PDT

git.codeaurora.org        -> gl-master-us-west.codeaurora.org

privgit.codeaurora.org will resolve to one of the below depending on your location:

privgit-us.codeaurora.org -> gl-minion-us-west.codeaurora.org
privgit-hk.codeaurora.org -> gl-minion-ap-south.codeaurora.org

New IPs:

gl-master-us-west.codeaurora.org  : 18.236.24.28
gl-minion-us-west.codeaurora.org  : 52.36.164.61
gl-minion-ap-south.codeaurora.org : 13.127.252.195

Tags:
Created by superadmin on 2020/04/18 20:53
    

Need help?

If you need help with XWiki you can contact: