r3 - 24 Feb 2015 - 09:30:12 - ShuweiYeYou are here: TWiki >  AtlasSoftware Web > PasswdLess-svn_co

Setup of checkout from svn.cern.ch without password

It is really inconvenient (and unsafe) to type your password many times during svn checkout from svn.cern.ch. The following instructs on how to use ssh public key to svn checkout from svn.cern.ch without typing your password repeatedly.

How to setup ssh private/public key for password-less login

Initial generation of ssh private/public key

On acas machine, use command ssh-keygen to generate a pair of ssh private/public key:

acas% ssh-keygen
It will ask you for a passphrase that you later given to ssh-add.

acas% ls -lta $HOME/.ssh
total 44
-rw-r--r--   1 yesw2000 usatlas   415 Jul 31 10:55 id_rsa.pub
drwx------   2 yesw2000 usatlas  2048 Jul 31 10:55 .
-rw-------   1 yesw2000 usatlas  1743 Jul 31 10:55 id_rsa
drwxr-xr-x 102 yesw2000 usatlas 30720 Jul 31 10:55 ..

Please take a look of the permission of above files/directory:

  • The directory $HOME/.ssh should be in mode of 700 (not visible to group/other)
  • The private key file $HOME/.ssh/id_rsa should be in mode of 600 (not visible to group/other)
  • While the public key file $HOME/.ssh/id_rsa.pub should be in mode of 644 (readable to group/other)

Then you can use command ssh-copy-id to copy your public key file to the remote machine (CERN machines here) where you want to login:

acas% ssh-copy-id yourNameAtCERN@lxplus.cern.ch
You still need enter your password at lxplus for above command. If your identity file is not the default one $HOME/.ssh/id_rsa.pub, you can use option [-i [identity_file]] to specify your identify file. After running the above command, you will find that your public key has been copied into file ~/.ssh/authorized_keys on lxplus:
lxplus% ls -lta ~/.ssh
total 7
drwx------.  2 yesw zp 2048 Jul 31 17:18 ./
drwxr-xr-x. 44 yesw zp 4096 Jul 31 17:18 ../
-rw-------.  1 yesw zp  241 Jul 31 17:18 authorized_keys

Because your home directory resides on CERN AFS, you need move the above file authorized_keys to $HOME/public, then make a symbolic-link.

lxplus% ls -ltA .ssh/authorized_keys    
lrwxr-xr-x. 1 yesw zp 25 Jul 31 17:46 .ssh/authorized_keys -> ../public/authorized_keys

Using ssh-agent

If you have not got ssh-agent running (via login startup or X-Windows startup) you start it:

acas% eval `ssh-agent`

Then you run ssh-add program to talk to your ssh-agent:

acas% ssh-add
which will prompt for passphrase which you typed in "ssh-keygen".

How to setup password-less for checkout from svn.cern.ch

If your username at lxplus is same as that at acas, the above setup should be enable you to do svn checkout from svn.cern.ch without typing your password for lxplus. If not, you need specify your username at lxplus in your ssh configuration file $HOME/.ssh/config on acas machines. In addition, you need configure ssh to disallow passwordless login to lxplus, otherwise you would get the following error:

/usr/bin/xauth:  timeout in locking authority file /afs/cern.ch/user/y/yesw/.Xauthority
hepix: E: /usr/bin/fs returned error, no tokens?
hepix: >>>>> AFS token expired! <<<<<
because passwordless ssh login will not give your AFS authentication at CERN.

So your ssh configuration file $HOME/.ssh/config on acas machines should look like:

host *.cern.ch
   user yourNameAtCERN
   PasswordAuthentication yes

host lxplus*.cern.ch
   PubkeyAuthentication no

host svn.cern.ch
   PubkeyAuthentication yes
   ForwardX11 no

The above configuration can also be applied to your laptop if you like to svn checkout directly there, or login from your laptop to lxplus.

If you have right ssh configuration, you would get the following message for interactive login to svn.cern.ch (because svn.cern.ch is not for interactive login):

acas% ssh svn.cern.ch
*                                                                             *
*  Reminder: You have agreed to comply with the CERN computing rules          *
*                     http://cern.ch/ComputingRules                           *
*                                                                             *
SVN server - only svn allowed, interactive login disabled
Connection to svn.cern.ch closed.

Major updates:
-- TWikiAdminGroup - 11 Jul 2020

About This Site

Please note that this site is a content mirror of the BNL US ATLAS TWiki. To edit the content of this page, click the Edit this page button at the top of the page and log in with your US ATLAS computing account name and password.


Powered by TWiki
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback