savannah-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-cvs] [181] Various ssh doc improvements

From: Bob Proulx
Subject: [Savannah-cvs] [181] Various ssh doc improvements
Date: Thu, 07 Apr 2016 17:40:54 +0000 
Revision: 181
          
http://svn.sv.gnu.org/viewvc/?view=rev&root=administration&revision=181
Author:   rwp
Date:     2016-04-07 17:40:48 +0000 (Thu, 07 Apr 2016)
Log Message:
-----------
Various ssh doc improvements

See sr#109008 and sr#108870.

Ticket Links:
------------
    http://savannah.gnu.org/support/?109008
    http://savannah.gnu.org/support/?108870

Modified Paths:
--------------
    trunk/sviki/SshAccess.mdwn

Modified: trunk/sviki/SshAccess.mdwn
===================================================================
--- trunk/sviki/SshAccess.mdwn  2016-04-03 23:51:04 UTC (rev 180)
+++ trunk/sviki/SshAccess.mdwn  2016-04-07 17:40:48 UTC (rev 181)
@@ -118,23 +118,28 @@
 Verifying host fingerprints
 ---------------------------
 If you get a warning about a fingerprint change, you can check the host
-fingerprint you have stored with, e.g.,:
+fingerprint you have stored with for example:
 
-    $ ssh-keygen -l -f ~/.ssh/known_hosts | grep git.sv.gnu.org
-    1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5 git.sv.gnu.org
+    $ ssh-keygen -l -F git.sv.gnu.org
+    1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5 
|1|wU2ra57xIdkRXsEfm1DRa50balE=|G1xDRrb9dpIwjfvx7D9+cRwZl4Q= (RSA)
 
-or if your `known_hosts` file is hashed:
+Your `~/.ssh/known_hosts` file may have hostnames either plain or
+hashed.  The newer default is hashed and the hostname will display as
+in the above.  If plain then the hostname will display plainly instead
+of hashed.  The md5 hash the important part.
 
-    $ ssh-keygen -F git.sv.gnu.org
-    1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5 
|1|/PZ6wITZ4GG+4XtGUy1FgzqaH8M=|uci92Jr08MGVxZAeofx2JHS/lfw=
+Note that newer ssh defaults to SHA256 rather than MD5 now.  In those
+cases you may need to add -Emd5 in order to show the MD5 version.
 
-To verify the keys currently in use at Savannah:
+At some point vcs.sv.gnu.org will be updated to enable ECDSA and at
+that time you will start to see ECDSA signatures.  Almost certainly
+this documentation will lag behind and need updating after that has
+happened.  If so please report it so that we will remember to update it.
 
-    $ ssh-keyscan -t rsa cvs.sv.gnu.org > tmpkey
-    ...
-    $ ssh-keygen -l -f tmpkey
-    1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5 cvs.sv.gnu.org (RSA)
+The key currently in use on vcs.sv.gnu.org is:
 
+  1024 80:5a:b0:0c:ec:93:66:29:49:7e:04:2b:fd:ba:2c:d5 git.sv.gnu.org (RSA)
+
 On the server-side (for Savannah Hackers):
 
     address@hidden:/# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
@@ -144,6 +149,11 @@
 ------------------------
 Lots more details of above and other less usual cases follow.
 
+This following section is mostly about using ssh for cvs access and
+hasn't been updated for the many more recently added version control
+systems such as bzr, hg and git.  The concepts are all the same
+however even if the details for other systems might be different.
+
 -   If, when (for example) you try to use cvs, you're rejected with
     `Permission denied`, that means that your key is not
     recognized. It could be a matter of time (cron job) or, generally,
@@ -172,12 +182,14 @@
     Without this, cvs will be trying to use rsh instead of ssh for the
     connection, and rsh is not allowed (it's insecure by design).
 
--   Another problem can arise when you are trying to connect from behind
-    a NAT router using OpenSSH. During session setup, after the password
-    has been given, OpenSSH sets the TOS (type of service) field in the
-    IP datagram. Some routers are known to choke on this. The effect is
-    that your session hangs indefinitely after you gave your password.
-    Here is the example output from such an ssh session:
+-   Another problem can arise when you are trying to connect from
+    behind a broken NAT router.  During session setup, after the
+    password has been given, OpenSSH sets the TOS (type of service)
+    field in the IP datagram.  Some broken routers are known to choke
+    on this.  This type of broken router is thankfully very
+    infrequently seen these days. The effect is that your session
+    hangs indefinitely after you gave your password.  Here is the
+    example output from such an ssh session:
 
         address@hidden:~$ ssh -vvv address@hidden
         OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
reply via email to
[Prev in Thread] Current Thread [Next in Thread]