Title: Committer SSH Access
Apache uses SSH (a cryptographic protocol for operating services securely over an unsecured network) to let committers access their home directories on people.apache.org.
Remember to keep your client up to date with security patches. When using SSH to connect to people.apache.org pay close attention to any known host warnings.
OpenSSH is a widely used and trusted suite of software using the SSH family of protocols.
The OpenSSH client uses by default configuration files in the ~/.ssh directory. The main configuration file is ~/.ssh/config and is optional. It may exist already. If it does not, you can create it in a simple text format. Group together instructions for a particular host (or group of hosts). Here is a suggested basic configuration:
<pre> # Apply to all hosts # Alternatively replace with: #Host \*.apache.org Host \* FallBackToRsh no Protocol 2,1 </pre>
Many other options are available.
To diagnose what's going wrong with an OpenSSH connection, run the client in verbose mode. To do this just add -v:
ssh -v -l committer people.apache.org
Only use batch mode in automated scripts. You will not be able to log in if ssh is configured to use batch mode.
The second generation in the ssh family of protocols. It is believed to be more secure than the first generation and the implementations are now mature. Certain flaws exist in the first generation protocols which do not exist in the second generation, so we recommend using SSH2 where possible.
The easiest way to diagnose a failing connection is to run your client in verbose mode. This will print up descriptions of the actions that the client is taking. Here is how to do this using OpenSSH.
If Authentication succeeded is present then this indicates that the issue lies in your machine login rather than in ssh.
If you are using OpenSSH, some instructions are available. Otherwise, please consult the manual.
You can use any client that supports SSH2. (It is possible to use older clients that support only SSH1 but that requires more knowledge.)
OpenSSH is a well known and trusted client that is available for most *nixes. Some notes on how to use OpenSSH to connect to Apache are here.
Public key infrastructure (PKI) enables the ssh family of protocols to operate without passing a password to the server. You use a passphrase to unlock a private key on the client machine, and a corresponding public key on the server for authentication the during the handshake. We recommend this as the most secure method of connection.
You can connect to people.apache.org using the SSH1 protocols, but only when using PKI.
SSH employs the known hosts mechanism to prevent man in the middle attacks. The first time that the client connects to a server, the fingerprint of the key used by that server is displayed to the user, who may to asked to confirm the identity of that server. For example:
The authenticity of host 'people.apache.org (209.237.237.194)' can't be established. RSA key fingerprint is 51:85:7d:8f:57:54:e7:6f:27:26:98:7a:c7:c1:47:87. Are you sure you want to continue connecting (yes/no)?
The fingerprints for people.apache.org can be found here. If the user elects to continue, this value is written to a known_hosts file. In future, when the user connects to the same server, the system checks this value and alerts the user if it has changed. Do not continue the connection after such an alert: contact infrastructure. This is of crucial importance when using keyboard interactive authentication.
Note: The fingerprint for the key used for ssh is different from the fingerprint of the certificate used to securely serve the website.
A class of attacks where the attacker masquerades as the server to the client and as the client to the server.