Web App: Juvely

Right, I have been busy over the last few days creating our MVC engine and have finally finished (more about it in another post I expect). Anyway, this is the second bit of my little SVN+SSH with multiple users and password less logins tutorial. In the last tutorial will covered the main bits, and in this one we are going to cover setting up password less logins.

So how do we do password-less logins? Surely that would be insecure? Well thankgoodness it isn’t. Basically we generate two keys, a private key and a public key. The public key you can allow everybody to know, but the private key you keep secret. You then use the private key to create a signature, which is verified by the server with the public key. If it is correct you are allowed in.

Setting up your keys
In this and the next tutorial and I am going to give instructions on how to set this up for Windows and OS X, so lets start off with Windows as that requires the most effort.

Head over to the PuTTY download page and grab PuTTY, PuTTYgen and Pageant. For this first bit you will only need PuTTYgen, so launch that when it has downloaded.

When you have launched PuTTYgen select the SSH-2 DSA option at the bottom and then click the Generate button. It will ask you to move your mouse to generate some random events, and show you a progress bar.

Once it has finished it will show you the public key in the big box at the top. You will need this for later so either leave Pageant open or copy and paste it into Notepad. You need to keep it as one line so don’t press enter.

In the key passphrase and confirm passphrase bit you need to enter your passphrase. Once you have done that click the save private key button to save a copy of your private key.

OS X is easy, and you don’t have to even download anything. Open up Terminal and run the following command:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/Users/luca/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/luca/.ssh/id_dsa.
Your public key has been saved in /Users/luca/.ssh/id_dsa.
The key fingerprint is:
[A long hex string] luca@mboz

This will create the key for you automatically, and then ask you where to save it. Just press enter and it will save it in the file in brackets. When it asks you for a passphrase enter it, it needs to be at least 5 characters long.

Ok, so lets go over what we have just done. We have generated a public and private key pair from random events, and entered a passphrase. This passphrase is used to encrypt the private key so that nobody can use it without the passphrase. If you forget your passphrase you will have to regenerate your keys as it cannot be recovered.

Now, hopefully somebody will have found a flaw in this. The passphrase is used to encrypt the private key, so in order to decrypt it the passphrase will be needed. Right - but more on that later.

Setting up the server
This is another easy bit, but as before is more compilicated if you are on Windows. PuTTY is an SSH client for Windows, so open it up and in the hostname field enter the address of your server. Click on the Open button and then enter your username and password when it asks.

Now you need to put the public key (the bit in the big box) into a file called ~/.ssh/authorized_keys. The easiest way to do this is to type echo ” and then paste your key in by right clicking and then typing ” > ~/.ssh/authorized_keys and pressing enter. If you don’t get any errors everything hopefully went alright.

Now onto the bit that had me stuck for hours, you need to change the access settings on this file so that it is readable to everything, so enter chmod 755 ~/.ssh/authorized_keys and press enter.

OS X is easy as usual, but we will do it a slightly different way to Windows. We are going to use SCP to copy the public key to the server and then copy this into the authorized keys file. To copy the public key type:

$ scp ~/.ssh/id_dsa.pub [your-username]@[your-server]:.ssh/id_dsa.pub
Password:
id_dsa.pub                               100% 1111     1.1KB/s   00:00

If the .ssh directory does not exist you will have to SSH in first and create it. Next we need to copy it into the authorized_keys file and set the file permissions.

$ cat ~/.ssh/id_dsa.pub > ~/.ssh/authorized_keys
$ chmod 755 ~/.ssh/authorized_keys

Setting up your SSH client
Now we have setup our server to know what our public keys are so now we need to set up our SSH client to send the private key.

When you have launched PuTTY go to Connection -> SSH -> Auth on the left hand side. Under the private key bit click Browse and find the location where you saved your private key. If you open the connection again it will ask you for the passphrase:

login as: luca
Authenticating with public key "dsa-key-20070105"
Passphrase for key "dsa-key-20070105":

Once you have done that you should have a prompt!

OS X is super easy compared to that, assuming you save it in the default location of ~/.ssh/id_dsa if you SSH in again it should ask you for the passphrase straight away, so enter it and make sure it works!

Ok, so now we can connect with ours keys, but will still need to enter something, the passphrase, so how do we solve that? Onto the next section…

The Agent
Sorry, but I am not talking about a bloke from the FBI. In order to use your keys without you having to enter a passphrase you need to use an agent program.

Under Windows we will use Pageant. To run it just drag your private key onto the Pageant icon and a window will popup asking you for the private key. Enter it and click ok. Now as long as Pageant is running you won’t need to enter your private key! Unfortunately (depending on how you look at it) Pageant does not store your passphrase on disk, it just decrypts your private key and keeps it in memory. This means each time you run it your have to enter your passphrase.

Now as another unfortunate it doesn’t even keep track of which keys it has, so you have to load them in again each time it starts. Luckily it takes command line options so you can create a .bat file which will load your key:

pageant.exe myprivatekey.ppk

If you launch that it will then ask for your passphrase and go back to working. If you run PuTTY again and connect to your server you will see it doesn’t ask for your passphrase!

OS X is a bit more difficult (** shock **) but it keeps track of your passphrase even if you reboot. To keep things secure it stores your passphrase into the Apple Keychain. Anyway, go over to the SSH Keychain website and download whatever the latest version is.

Once you have installed it and run it you should get a little icon in the menu up the top next to where the wireless icon is (does this place have a proper name?). If you click on this and then select Agent -> Add Keys an open file dialouge will appear. Select your id_dsa file, and then it will open a box asking you for your passphrase. Enter it, and then select the option to save it in your keychain and then click OK. Now a couple more things, select the Preferences option for SSH Keychain and go to Enviroment and enable the option there.

If you now open up the terminal you should be able to SSH into your server without needing a key!

Now hopefully you should have password-less SSH logins, if you haven’t go back through everything or leave a comment and I will see if I can help. The next tutorial will be about setting up our SVN GUI programs.

Here at the Juvely blog we are not just going to document what we have done, we are also going to share our experiences and explain how to do things to other people. I am going to start this off by showing you how I set up our Subversion repository to allow SVN+SSH access for multiple users and password less logins.

Here is what I am going to go cover:

• Setting up the repository
• How to setup multiuser access
• How to configure the command line SVN client
• And in the next two articles, how to setup graphical clients under OS X and Windows and password-less logins

The process may sound daunting but it is rather simple once you know how. I have spend hours searching the web to find out why it wasn’t working and haven’t found a tutorial which
easily covers all of this, so here goes.

Setting up the repository
In order to allow multiple access to the repository you will need an SSH account for each user. So that they all have access to the repository they will need to be in the same group and permissions on the repository will need to allow read/write access to group members.

$ svnadmin create --fs-type fsfs [your-repo]
$ chown -R :[your-group] [your-repo]
$ chmod -R 775 [your-repo]

This will first create an SVN repository for you, named [your-repo]. Then set all the files in this so they are owned by [your-group], and then finally change the permissions so that the owner and group members have read, write and execute permissions on the repository. Other users will have read and execute permissions.

Setting up users
In order to allow multiple users to access the repository, each user will require an SSH account. You will need to set the file creation mask for each of these users so that all the new files they create will have the same permissions. The easiest way to do this is to get them to SSH into the server and put umask 002 into their ~/.bash_profile (or equivalent for whatever shell you are using).

$ echo "umask 002" >> ~/.bash_profile

Setting up command line SVN access
Now, if everything is working correctly you should be able to use the command line SVN client to connect to the repository. Lets start off by importing some stuff:

$ svn import trunk svn+ssh://[your-username]@[your-domain]/[path-to-repo]/ -m "Initial import"
Password:
Password:
Password:
Adding         trunk/file

Committed revision 1.

This command will import a folder, and contents, called trunk with the message Initial import!

The username and domain should be easy as it is the same settings as are used for SSH. The path to the repository is the full path including the name of the repository you created way-back in the first command.

You will probably be prompted for your password several times, and then you will see a list of files that are being added. If you want to check that everything went ok you can get SVN to list the contents of the repository:

$ svn ls svn+ssh://[your-username]@[your-domain]/[path-to-repo]/
file

If you get a command saying that no repository was found make sure that you have the correct full path to the repository.

Well, that about sums it up for this tutorial! In the next tutorial I will describe howto setup public-private key authentication and then use an agent program to keep hold of this key so you don’t have to keep entering your passphrase.

If you have seen any major flaws or have any questions feel free to leave a comment!