Project:Infrastructure/SSH key guide

This mini-guide explains on how to create and use ssh-keys, especially for use on cvs.gentoo.org.

Key Handling
Your SSH keypair authenticates you to Gentoo Infrastructure. Properly handling these keys is vital to keeping our machines safe. Please try to follow these guidelines:


 * Place your private keys only on machines you trust. This means only you have root on these machines and they are not shared with other users.
 * Do not trust Gentoo Infrastructure. Do not place copies of your keys on Gentoo machines (like dev.gentoo.org.) You may forward your SSH agent through Gentoo managed machines if they are configured to allow users to agent forward (more on forwarding later.)
 * Encrypt your keys with a strong passphrase. If you have trouble making a passphrase try emerge pwgen; pwgen -sB 25
 * Do not access Gentoo infrastructure from untrusted machines such as business kiosks at hotels, internet cafes, or machines at computer conferences. Many of these machines are infected with malware.
 * If you believe your keys were compromised, contact infrastructure immediately. You can do this via #gentoo-infra on irc.freenode.net or by emailing incidents@gentoo.org.
 * Official hostkey fingerprints for Gentoo Infrastructure servers are available on the server specifications page.

Creating the SSH keys
First of all, be physically logged on to your own computer. Make sure that no-one will see you typing stuff in, since we are going to type in passphrases and such. So get your pepperspray and fight all untrusted entities until you are home alone.

Now we are going to create our ssh keys, RSA keys to be exact. The key should be at least 2048 bits in length, but 4096 bits is recommended. Log onto your computer as the user that you are going to be using when you want to access cvs.gentoo.org. Then issue  :

Created files:

You may have more files than this, but the two files listed above are the ones that are really important.

The first file,, is your private key. Don't give this to anyone; never decrypt it on an untrusted machine. Gentoo Developers will never ask you for a copy of your private key.

The second file,, is your public key. Distribute this file amongst all hosts that you want to be able to access through SSH pubkey authentification. This file should be appended to on those remote hosts. Also add it to your local host so you can connect to that one too if you have several boxes.

Installing your public key on a machine using LDAP authentication for SSH
You should place your public key into LDAP, using, or  directly. The Infrastructure LDAP guide describes this in more detail.

Using keychain
Every time you want to log on to a remote host using SSH public key authentification, you will be asked to enter your passphrase. As much as everybody likes typing, too much is sometimes too much. Luckily, there is  to the rescue. There is an document on this one here, but I'll give you a quick introduction.

First, install  :

Now have keychain load up your private ssh key when you log on to your local box. To do so, add the following to. Again, this should be done on your local machine where you work at the Gentoo CVS.

The above is for the bash shell. Other shells have their own file to which these instructions can be added, such as for zsh.