[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Question about svnbook

From: Holger Stratmann <tigris_at_finch.de>
Date: Tue, 10 Jun 2008 13:29:49 +0200

Hi Robert,

1) *oops*, I accidentally didn't reply to the group (and neither did
you). Fixed :-)
For those who want to followup, my complete (first) reply and Robert's
reply are quoted below.
2) Please post in plain text!
3)

> Thanks for your post. Essentially, I imagine the SSH server has its
> private key, which it uses to verify the public key you send over the
> wire to it. If they match, you're authenticated.
Well, not quite, but something like that...
Basically, the "trick" with public/private key is that one key is used
to encrypt and a *different* key is used to decrypt. If you have only
one of them, you can encrypt, but you cannot decrypt (!) the message you
just encrypted (or vice versa).
At a simple level, the server asks the client to encrypt some piece of
information and then checks if it (the server) can decrypt it again...

> I do understand the basics of public/private key systems. ...
> I need to know whether to put the private or public key in the
> authorized_keys file.
a) Sorry to tell you that, but there's some conflict in those two
statements ;-)))

The private key is *TOP_SECRET* and therefore always stays on the client
machine.
Therefore, it is obvious that the key you upload to the server is the
public key.

b) Please DO take the time to follow the hints that are posted. For
example, in the link I posted last time, it says:

=== QUOTE
http://rcsg-gsir.imsb-dsgi.nrc-cnrc.gc.ca/documents/internet/node31.html ===
>
> The private key was saved in .ssh/id_rsa. This file is read-only and
> only for you. No one else must see the content of that file, ...
>
> The public key is save in .ssh/id_rsa.pub.
>
> ...
>
> Its content is then copied in file .ssh/authorized_keys of the system
> you wish to SSH to without being prompted for a password.
>
=== END QUOTE ===

Doesn't get any more explicit than that, does it?
The "tutorial" is not even one screen long (on a big screen *g*). Please
read it.

> I don't know where my public/private keys are.
They should be in your home directory. You're told where they are when
you generate them. It's your job to keep track of them. If you don't
know or don't remember which key is used where, you're in trouble
(there's no way of finding out (other than trial and error)).
In that case, I recommend generating new keys and "archiving" the old
ones (in case you do need them later on).

In this day and time, it's a good idea to generate new keys anyway :-(((((((
(in case you haven't heard: it's recently been discovered that almost
all keys generated on Debian systems (which includes Ubuntu) in the last
2 years are very weak and can be easily cracked :-(((
Therefore: Upgrade your Ubuntu to the latest version of OpenSSH before
generating your keys. Ubuntu 8.04 is vulnerable unless you upgrade to
"end of May"...
> There's also keys in /etc/ssh, which are also confusing
The keys in /etc/ssh should be the host keys.
On my (Ubuntu) system, they're called ssh_host_*_key*
> There's a lot of public/private keys on my system,
There's a lot of keys?!
How did they get there?
> when I only have one account I login with.
I'm confused. Are you talking about the client or the server now?

OK, how to continue?
If you don't know *precisely* what you're doing, it's always best to do
only one step at a time and check if it worked before doing the next step.
In this case: Just make sure you can login with an SSH key before
worrying about Subversion at all.

When you can log in without using a password, take another look at the
Subversion books. It looks like it should be easy at that point.
There's a ton of SSH-explanations online. I've already posted one of them...

Good luck,

Holger

> If there was only 1 pair of keys on the system I wouldn't be so
> confused and it would be more obvious which keys are mine.
>
> I'm still very new to Ubuntu Server and I'm learning as I go. I
> appreciate your help.

Robert Dailey wrote:
> On Mon, Jun 9, 2008 at 6:02 PM, Holger Stratmann <tigris_at_finch.de
> <mailto:tigris_at_finch.de>> wrote:
>
> Hi Robert,
>
> I'm not familiar with svnserve (I've always used Apache...), but
> I'm familiar with ssh, so I can help you with the first steps...
>
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshtricks
>
> I'm not sure what I'm supposed to put for the key type and
> value. In the example they use ssh-dsa and for the key they
> use some garbled random value
>
> *hahaha*
> Well, almost. Of course this is not some garbled random value. ok,
> well, in a way it is: It is something like a very very long
> password that a computer generated for you and that is impossible
> to guess. For some very clever reasons that are too complicated to
> explain in this post, you don't even need to keep it secret as
> long as you keep some other long number secret.
>
> The svnbook seems to make this more complicated than I want it
> to be.
>
> Well... the svnbook just (wrongly) assumes you know something
> about ssh public key authentication. And honestly, it's not
> svnbook's job to explain this subject.
>
> Try Google. :-) Look for "ssh-keygen password". Ten out of the
> first ten hits look promising :-)
> Just one random hit is:
> http://rcsg-gsir.imsb-dsgi.nrc-cnrc.gc.ca/documents/internet/node31.html
> Look at "The second method". This will generate the "garbled
> random value" for you. As mentioned above, this value is just half
> of what you need. You'll need a second garbled value on your own
> computer (see? One half of the secret on the server, the other
> half on your computer). ssh-keygen tells you where both pieces are
> stored.
> Unfortunately, I cannot tell you exactly how to use them for what
> you need because I've never used svnserve, but it'll be a good
> start...
>
> Good luck!
>
>
> P.S.: Please post in plain text.
>
>
> Thanks for your post. I do understand the basics of public/private key
> systems. Essentially, I imagine the SSH server has its private key,
> which it uses to verify the public key you send over the wire to it.
> If they match, you're authenticated. However, my questions are a
> little more specific. I do apologize for not having been more specific
> before.
>
> 1. I need to know whether to put the private or public key in the
> authorized_keys file.
> 2. I don't know where my public/private keys are. There's also keys
> in /etc/ssh, which are also confusing. There's a lot of
> public/private keys on my system, when I only have one account I
> login with. If there was only 1 pair of keys on the system I
> wouldn't be so confused and it would be more obvious which keys
> are mine.
>
> I'm still very new to Ubuntu Server and I'm learning as I go. I
> appreciate your help.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-06-10 13:31:01 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.