This document explains one secure way of accessing the PHENIX CVS Repository, located at the RHIC Computing Facility (RCF).

You will learn how to :

get a way of ssh-ing to rcf.rhic.bnl.gov without giving your password (do this once per Xsession or shell)
get a valid AFS token (do this every time AFS tokens expire)
set properly the CVSROOT environment variable (do this once only if put in the .login file)

Reminder You can do checkouts the way you like. But before doing any checkin, please, please, contact the librarian of the package you have modified.

Setting up an automated secured connection with RCF

In this section you will learn how to set up a secure (i.e. using ssh), and automated (i.e. you won't have to always give your password) connection to the RCF.

We hereby assume that you (the client) are connected to the local machine foo.bar and that you want to connect to the RCF gateway rcf.rhic.bnl.gov (the server).

Note for french users Due to some legal stuff, you cannot use ssh direclty in France. The IN2P3 have created an ssh-compatible shell, named SSF. So, you'll have to type ssf command instead of ssh (other commands as ssh-agent or ssh-keygen have the right names).

Create your keys

The ssh connection method we are going to use is based on a pair of RSA keys : public and private keys. Only the public key travels over the net. The private key is needed to descramble the challenge sent by the server.

To create your keys on your local machine, use the ssh-keygen command :

[user@foo.bar]$ ssh-keygen
Initializing random number generator...
Generating p:  .....++ (distance 40)
Generating q:  ...........................................++ (distance 762)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (/home/aphecetc/.ssh/identity):type return here
Enter passphrase: enter a passphrase here
Enter the same passphrase again: type it again
Your identification has been saved in /home/aphecetc/.ssh/identity.
Your public key is:
1024 37 15018...snip...457534269 aphecetc@nanpc45.in2p3.fr
Your public key has been saved in /home/aphecetc/.ssh/identity.pub

The private key must be kept secrete, so the .ssh/identity file must be readable only by you (the ssh-keygen command does that correctly, but you can check it).

Give your public key to the server

You must then put your public key into the server, in the ~/.ssh/authorized_keys file. This put can be done with a ftp (if this is permitted by the server) or with a ssh connection followed by a ftp from the server to the client otherwise. For example :

[user@foo.bar]$ ssh -l username rcf.rhic.bnl.gov
enter your password and passphrase here
[username@rcf.rhic.bnl.gov]$ ftp foo.bar
enter your foo.bar password
ftp> cd .ssh
ftp> get identity.pub toto.pub
ftp> quit
cd .ssh
[username@rcf.rhic.bnl.gov]$ cat ../toto.pub >> authorized_keys

Connect to the server using the key exchange

[user@foo.bar]$ ssh -l username rcf.rhic.bnl.gov
Enter passphrase for RSA key 'user@foo.bar' : *** ****** *** **
[username@rcf.rhic.bnl.gov]$

Note You can omit the '-l username' if your usernames are the same on foo.bar and on RCF.

The problem then is to avoid to have to give your passphrase each time you connect. For this purpose, you must use the ssh-agent and ssh-add programs. The ssh-agent will give itself the passphrase to any process that request it (after you have given it once), assuming that the requesting process is a child process of ssh-agent itself. There's basically two ways on achieving what we want to do. The first one is valid for all an X session, the second one is only valid within a shell session.

Having a full X session 'ssh-agent'ed

The idea here is to start your Xsession from ssh-agent. This part largely depends on your own way of starting your Xsession. But assuming you use a ~.xsession file, here's a way of doing it :

#! /bin/sh

SSH_AGENT="/usr/local/bin/ssh-agent"
SSH_ADD="/usr/local/bin/ssh-add"

exec $SSH_AGENT /bin/sh -c "$SSH_ADD; $KDEDIR/bin/startkde"

If you're using a ~.Xclients file (and startx), you will probably need to redirect stdin from /dev/null in the ssh-add command in order to be prompted for your passphrase in X :

#! /bin/sh

SSH_AGENT="/usr/local/bin/ssh-agent"
SSH_ADD="/usr/local/bin/ssh-add"

exec $SSH_AGENT /bin/sh -c "$SSH_ADD  < /dev/null ; $KDEDIR/bin/startkde"

KDE being the window manager I personaly use. You will be asked for your passphrase each time you start an Xsession.

Having a child shell 'ssh-agent'ed

Just launch a new shell from ssh-agent :

[user@foo.bar]$ ssh-agent csh
[user@foo.bar]$ ssh-add
Need passphrase for /home/user/.ssh/identity (user@foo.bar).
Enter passphrase: enter your passphrase here

You can now connect without giving your password/phrase.

Getting an AFS token

As the PHENIX CVS Repository is under AFS, and that you will need to have write access to the Repository (even for just making a checkout), you need to have a valid AFS token before you try to use cvs commands. To get an AFS token, do for example :

[user@foo.bar]$ ssh rcf.rhic.bnl.gov
[user@rcf.rhic.bnl.gov]$ klog
enter AFS password here

Setting up your CVS environment

Define, e.g. in your .login your CVSROOT environment variable to be :
:ext:username@rcf.rhic.bnl.gov:/afs/rhic/phenix/PHENIX_CVS

and the CVS_RSH one to be ssh (or ssf for french people)

That's all folks, you should now be able to give some cvs commands, e.g. :

[user@foo.bar]$ cvs co online

Contact: L. Aphecetche (aphecetc@in2p3.fr)
Last update: 18-May-1999