CS164: Using SSH with Subversion

This semester, we are using Subversion with "SSH tunneling" to keep project repositories for teams and homework repositories for individuals. The repositories are all owned by cs164-tb and kept on the instructional machines. To access them, you must inform your local SSH software of a private key, and must inform cs164-tb of the matching public key.

Creating Key Pairs and Registering Public Keys

To authenticate yourself to a remote party with SSH, you give the remote party a public key, and keep possession of a (secret) corresponding private key. Only for those with access to the private key is it feasible to respond to appropriate challenges (in essence, puzzles) from someone with the public key.

SSH on Unix and MacOS keep SSH keys as files in a directory named .ssh. On the instructional machines, we have defined a command setup-authentication, which will check that you have a public key names .ssh/login.pub, where login is the login id on your instructional CS164 account. If you don't have one, it will create a key pair one for you, asking you to supply a "passphrase" with which to unlock your key. This passphrase is optional; the effect of not having it is that your private key will be protected only by your regular login password and file protections. The setup-authentication script will also register your public key with us, so that you will be able to use your private key (which is called .ssh/login) to authenticate yourself from anywhere.

Therefore, one way to create a new key pair for yourself if you, for example, forget the passphrase on your old one, is to erase the files .ssh/login.pub and .ssh/login and run setup-authentication (or wait until your next login, when it will happen automatically).

You will need to copy your private key to the .ssh directory of whatever machine(s) you intend to use for your work (let's call it your home machine), and inform the SSH program there of its existence (see Using Your Key, below). Alternatively, you can create a key pair on your home machine and copy the public key back to the instructional machines to be registered with us. To create a key pair on your home machine, use a command such as

ssh-keygen -t rsa -f .ssh/privatekey
where privatekey is the name of the file that will contain your private key. You'll get a file privatekey.pub containing the corresponding public key. Copy that key to the instructional machines, and register it with cs164-tb using the command
record-public-key privatekey.pub ID
That is, supply the name of the copy of your public key that you sent to the instructional machines and an (optional) identifier. The purpose of ID is just to allow record-public-key to distinguish between multiple keys you may want to allow for your subversion directory. The command
record-public-key - ID
will delete a registration for a public key that you previously identified with ID. ID defaults to a form of your login.

Using Your Key

Once you have a keys properly created and registered, the next step is to actually use SSH and Subversion to access your repository. First, it is useful to tell your local SSH configuration about your private key for the repository. There are several techniques. If you are using OpenSSH on Unix or MacOS, you add a line to the file .ssh/config that says

IdentityFile ~/.ssh/privatekey
(create the config file if needed). Whenever you use SSH or Subversion with an "svn+ssh" repository, SSH will consult the indicated private key file(s) for a key to try (you can have any number of IdentityFile lines in your config file). If the key has a passphrase, you'll be prompted for it. (WARNING: Subversion sometimes calls SSH several times for one command, which means you might get several passphrase prompts).

Alternatively, you can set up an SSH agent that will allow you to enter a passphrase for a key once and then provide the necessary information to programs that ask for it. Within a given Unix shell, the command

ssh-agent name-of-shell
will run the shell you name (csh, bash, etc.) and supply its environment with a link to an agent process. Alternatively, you can use
eval `ssh-agent`
to supply that environment to the current shell.

Once you have started an agent, you may add keys to it with

ssh-add private-key-file
which will ask you for a passphrase, if needed. Other programs that you run from this shell, including Subversion, will be supplied with the authentication services with the keys you have added, and will not have to ask you for a passphrase.


Page was last modified on Mon Sep 18 13:12:57 2006.
Address comments and questions to cs164@cs.berkeley.edu