How to set up your ssh access¶
Setting up your ssh access will depend on whether you’re using your PGP Auth subkey for ssh purposes or if you were issued a private key from kernel.org.
If you received a ssh private key from kernel.org¶
Follow this procedure if you received an encrypted tarball containing the SSH
private key to use for accessing your kernel.org account. Place that private
key into your ~/.ssh
directory, e.g.:
cp korg-username ~/.ssh/id_korg
You can change the automatically generated key passphrase using ssh-keygen
-p
.
Important
You should always keep your ssh key protected by a passphrase.
Add the following entries into your .ssh/config:
Host gitolite.kernel.org
User git
IdentityFile ~/.ssh/id_korg
IdentitiesOnly yes
ClearAllForwardings yes
# We prefer ed25519 keys, but will fall back to others if your
# openssh client does not support that
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa
# Below are very useful for speeding up repeat access
# and for 2-factor validating your sessions
ControlPath ~/.ssh/cm-%r@%h:%p
ControlMaster auto
ControlPersist 30m
# Helps behind some NAT-ing routers
ServerAliveInterval 60
If we used your PGP Authentication subkey¶
If we found an Authentication ([A]) subkey on your PGP key, then we have set up your access to use that key, instead of creating new ssh private keys. This is what you need to do to configure your ssh client to use that subkey:
First, add the following to your ~/.gnupg/gpg-agent.conf
:
enable-ssh-support
Then, add this to your .bashrc
:
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
You will need to kill the existing gpg-agent process and start a new login session for the changes to take effect:
$ killall gpg-agent
$ bash
$ ssh-add -L
The very first entry in the output should be the ssh public key derived from
your PGP Auth subkey – it should have “cardno:XXXXXXXX
” at the end in the
comment section.
Now add this to your .ssh/config:
Host gitolite.kernel.org
User git
ClearAllForwardings yes
# We prefer ed25519 keys, but will fall back to others if your
# openssh client does not support that
HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256,ssh-rsa
# Below are very useful for speeding up repeat access
# and for 2-factor validating your sessions
ControlPath ~/.ssh/cm-%r@%h:%p
ControlMaster auto
ControlPersist 30m
# Helps behind some NAT-ing routers
ServerAliveInterval 60
SSH host fingerprints¶
Your kernel.org account grants you access to gitolite.kernel.org, which you will use both for accessing your git trees (see How to use gitolite) and for uploading tarball releases (see Using kernel.org uploader (kup)).
Key | MD5 Fingerprint |
---|---|
RSA | MD5:b1:33:44:9d:3f:77:59:14:f8:05:d7:33:5d:b1:40:7b |
ECDSA | MD5:7c:a6:a2:e0:96:5f:e2:9a:9b:53:b6:41:29:66:f8:47 |
ED25519 | MD5:30:f1:e6:8f:ff:76:45:e7:5b:45:b0:bd:bd:ca:14:9c |
Key | SHA256 Fingerprint |
---|---|
RSA | SHA256:S1b2ARCfjjhsPJeqbCwkG+2ukBPCApogEfRTkVqEj4g |
ECDSA | SHA256:n5cYLTSXgZ97jR9DfOcFxHeHAt3BBqU89TpTQspqFxo |
ED25519 | SHA256:KTfZsrwphTMpYOYr0Acfdk25gtg6zui3Oh8QOawAm5M |
Here they are PGP-signed:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
# ssh-keygen -E sha256 -lf <(ssh-keyscan gitolite.kernel.org)
2048 SHA256:S1b2ARCfjjhsPJeqbCwkG+2ukBPCApogEfRTkVqEj4g gitolite.kernel.org (RSA)
256 SHA256:n5cYLTSXgZ97jR9DfOcFxHeHAt3BBqU89TpTQspqFxo gitolite.kernel.org (ECDSA)
256 SHA256:KTfZsrwphTMpYOYr0Acfdk25gtg6zui3Oh8QOawAm5M gitolite.kernel.org (ED25519)
# ssh-keygen -E md5 -lf <(ssh-keyscan gitolite.kernel.org)
2048 MD5:b1:33:44:9d:3f:77:59:14:f8:05:d7:33:5d:b1:40:7b gitolite.kernel.org (RSA)
256 MD5:7c:a6:a2:e0:96:5f:e2:9a:9b:53:b6:41:29:66:f8:47 gitolite.kernel.org (ECDSA)
256 MD5:30:f1:e6:8f:ff:76:45:e7:5b:45:b0:bd:bd:ca:14:9c gitolite.kernel.org (ED25519)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJZEg1UAAoJEDS6uAr58ke44k0QAKQ2mdfN9aebDBmt4BpBcIHo
DFZ8CN9/NTzJz7ZuYuwkgeWj1Ah1wWEb36q7UojA5Iq7BxLjP1jpZZlRSaQnyTXV
87/7DUcEshS3wasRatCJ+GhBtQ2WJAblVHs2BVpPffJT+KhwSM0vzhnME41ppWtJ
poZ/8UO1qlPZKjUutFeS7ogDC5te5BTEDAQuQLMUMgi1rzRYJvdIeIymgr0Hk4IA
8Ss+7sH0vj5p0hd2tNS+FpGXQORnKb4VYWupsG7tJfVRloEBKFly8oOPGGR/nHxg
vWJQl2Nc+05Vf5ey0bKWBlWyhFuuPlxFMPdCPQCKQMrAhTTAbtYAk71kmaxJQH0P
QeE8u/qLS4GYaSktPhjh+vYFNlwqPQ3WDwye3mXZN35eUTXgQX0beJBEBWGLdQsH
UpBUnTB5U0mzA4uNCOh1yfqaGjwdFru/c2ivA6e59SRoijjJOSL2+PLw/pHXbCSQ
AIGo7ysfF4V2EDZ6A234NYaI1PTGPt+hLRBxkzOONUjxiIoDAuRcrTHFz9oAtnvA
Xy1CAxTLXpgeCjJEN2s0EQgrEFeB/GDOfWBq/Z3itGBo1UD5HvOuYAay/tLgVzur
0/TTefeni1uFvl9kU3zsNiqm9YI2IaKPa4SMTmjEZSPlaTuuxApw5G1EBmCXexHS
YjQNG2ORVjiVyvdddWT9
=Njcj
-----END PGP SIGNATURE-----