Show More
@@ -1,129 +1,138 b'' | |||
|
1 | 1 | .. _ssh-connection: |
|
2 | 2 | |
|
3 | 3 | SSH Connection |
|
4 | 4 | -------------- |
|
5 | 5 | |
|
6 |
If you wish to connect to your |
|
|
6 | If you wish to connect to your |repos| using SSH protocol, use the | |
|
7 | 7 | following instructions. |
|
8 | 8 | |
|
9 | .. note:: | |
|
10 | ||
|
11 | SSH access with full |RCE| permissions will require an Admin |authtoken|. | |
|
12 | ||
|
13 | You need to install the |RC| SSH tool on the server which is running | |
|
14 | the |RCE| instance. | |
|
15 | ||
|
16 | 1. Gather the following information about the instance you wish to connect to: | |
|
9 | 1. Include |RCE| generated `authorized_keys` file into your sshd_config. | |
|
17 | 10 | |
|
18 | * *Hostname*: Use the ``rccontrol status`` command to view instance details. | |
|
19 | * *API key*: From the |RCE|, go to | |
|
20 | :menuselection:`username --> My Account --> Auth Tokens` | |
|
21 | * *Configuration file*: Identify the configuration file for that instance, | |
|
22 | the default is :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` | |
|
23 | * Identify which |git| and |hg| packages your |RCM| instance is using. | |
|
11 | By default a file `authorized_keys_rhodecode` is created containing | |
|
12 | configuration and all allowed user connection keys are stored inside. | |
|
13 | On each change of stored keys inside |RCE| this file is updated with | |
|
14 | proper data. | |
|
24 | 15 | |
|
25 | * For |git|, see | |
|
26 | :menuselection:`Admin --> Settings --> System Info` | |
|
27 | * For |hg|, use the ``which hg`` command. | |
|
28 | ||
|
29 | 2. Clone the |RC| SSH script, | |
|
30 | ``hg clone https://code.rhodecode.com/rhodecode-ssh`` | |
|
31 | 3. Copy the ``sshwrapper.sample.ini``, and save it as ``sshwrapper.ini`` | |
|
32 | 4. Configure the :file:`sshwrapper.ini` file using the following example: | |
|
33 | ||
|
34 | .. code-block:: ini | |
|
16 | .. code-block:: bash | |
|
35 | 17 | |
|
36 | [api] | |
|
37 | host=http://localhost:10005 | |
|
38 | key=24a67076d69c84670132f55166ac79d1faafd660 | |
|
18 | # Edit sshd_config file most likely at /etc/ssh/sshd_config | |
|
19 | # add or edit the AuthorizedKeysFile, and set to use custom files | |
|
39 | 20 | |
|
40 | [shell] | |
|
41 | shell=/bin/bash -l | |
|
42 | ||
|
43 | [vcs] | |
|
44 | root=/path/to/repos/ | |
|
45 | ||
|
46 | [rhodecode] | |
|
47 | config=/home/user/.rccontrol/enterprise-3/rhodecode.ini | |
|
21 | AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode | |
|
48 | 22 | |
|
49 | [vcs:hg] | |
|
50 | path=/usr/bin/hg | |
|
23 | This way we use a separate file for SSH access and separate one for | |
|
24 | SSH access to |RCE| repositories. | |
|
51 | 25 | |
|
52 | # should be a base dir for all git binaries, i.e. not ../bin/git | |
|
53 | [vcs:git] | |
|
54 | path=/usr/bin | |
|
55 | 26 | |
|
56 | [keys] | |
|
57 | path=/home/user/.ssh/authorized_keys | |
|
27 | 2. Enable the SSH module on instance. | |
|
58 | 28 | |
|
59 | 5. Add the public key to your |RCE| instance server using the | |
|
60 | :file:`addkey.py` script. This script automatically creates | |
|
61 | the :file:`authorized_keys` file which was specified in your | |
|
62 | :file:`sshwrapper.ini` configuration. Use the following example: | |
|
29 | On the server where |RCE| is running executing: | |
|
63 | 30 | |
|
64 | 31 | .. code-block:: bash |
|
65 | 32 | |
|
66 | $ ./addkey.py --user username --shell --key /home/username/.ssh/id_rsa.pub | |
|
33 | rccontrol enable-module ssh {instance-id} | |
|
34 | ||
|
35 | This will add the following configuration into :file:`rhodecode.ini`. | |
|
36 | This also can be done manually: | |
|
37 | ||
|
38 | .. code-block:: ini | |
|
39 | ||
|
40 | ############################################################ | |
|
41 | ### SSH Support Settings ### | |
|
42 | ############################################################ | |
|
43 | ||
|
44 | ## Defines if a custom authorized_keys file should be created and written on | |
|
45 | ## any change user ssh keys. Setting this to false also disables posibility | |
|
46 | ## of adding SSH keys by users from web interface. Super admins can still | |
|
47 | ## manage SSH Keys. | |
|
48 | ssh.generate_authorized_keyfile = true | |
|
49 | ||
|
50 | ## Options for ssh, default is `no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding` | |
|
51 | # ssh.authorized_keys_ssh_opts = | |
|
67 | 52 | |
|
68 | .. important:: | |
|
53 | ## Path to the authrozied_keys file where the generate entries are placed. | |
|
54 | ## It is possible to have multiple key files specified in `sshd_config` e.g. | |
|
55 | ## AuthorizedKeysFile %h/.ssh/authorized_keys %h/.ssh/authorized_keys_rhodecode | |
|
56 | ssh.authorized_keys_file_path = ~/.ssh/authorized_keys_rhodecode | |
|
57 | ||
|
58 | ## Command to execute the SSH wrapper. The binary is available in the | |
|
59 | ## rhodecode installation directory. | |
|
60 | ## e.g ~/.rccontrol/community-1/profile/bin/rc-ssh-wrapper | |
|
61 | ssh.wrapper_cmd = ~/.rccontrol/community-1/rc-ssh-wrapper | |
|
62 | ||
|
63 | ## Allow shell when executing the ssh-wrapper command | |
|
64 | ssh.wrapper_cmd_allow_shell = false | |
|
65 | ||
|
66 | ## Enables logging, and detailed output send back to the client during SSH | |
|
67 | ## operations. Usefull for debugging, shouldn't be used in production. | |
|
68 | ssh.enable_debug_logging = false | |
|
69 | ||
|
70 | ## Paths to binary executable, by default they are the names, but we can | |
|
71 | ## override them if we want to use a custom one | |
|
72 | ssh.executable.hg = ~/.rccontrol/vcsserver-1/profile/bin/hg | |
|
73 | ssh.executable.git = ~/.rccontrol/vcsserver-1/profile/bin/git | |
|
74 | ssh.executable.svn = ~/.rccontrol/vcsserver-1/profile/bin/svnserve | |
|
69 | 75 |
|
|
70 | To give SSH access to all users, you will need to maintain | |
|
71 | each users |authtoken| in the :file:`authorized_keys` file. | |
|
76 | ||
|
77 | 3. Set base_url for instance to enable proper event handling (Optional): | |
|
78 | ||
|
79 | If you wish to have integrations working correctly via SSH please configure | |
|
80 | The Application base_url. | |
|
81 | ||
|
82 | Use the ``rccontrol status`` command to view instance details. | |
|
83 | Hostname is required for the integration to properly set the instance URL. | |
|
84 | ||
|
85 | When your hostname is known (e.g https://code.rhodecode.com) please set it | |
|
86 | inside :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` | |
|
87 | ||
|
88 | add into `[app:main]` section the following configuration: | |
|
89 | ||
|
90 | .. code-block:: ini | |
|
91 | ||
|
92 | app.base_url = https://code.rhodecode.com | |
|
93 | ||
|
72 | 94 |
|
|
73 | 6. Connect to your server using SSH from your local machine. | |
|
95 | 4. Add the public key to your user account for testing. | |
|
96 | First generate a new key, or use your existing one and have your public key | |
|
97 | at hand. | |
|
98 | ||
|
99 | Go to | |
|
100 | :menuselection:`My Account --> SSH Keys` and add the public key with proper description. | |
|
101 | ||
|
102 | This will generate a new entry inside our configured `authorized_keys_rhodecode` file. | |
|
103 | ||
|
104 | Test the connection from your local machine using the following example: | |
|
105 | ||
|
106 | .. note:: | |
|
107 | ||
|
108 | In case of connection problems please set | |
|
109 | `ssh.enable_debug_logging = true` inside the SSH configuration of | |
|
110 | :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` | |
|
111 | Then add, remove your SSH key and try connecting again. | |
|
112 | Debug logging will be printed to help find the problems on the server side. | |
|
113 | ||
|
114 | Test connection using the ssh command from the local machine | |
|
115 | ||
|
116 | ||
|
117 | For SVN: | |
|
74 | 118 | |
|
75 | 119 | .. code-block:: bash |
|
76 | 120 | |
|
77 | $ ssh user@localhost | |
|
78 | Enter passphrase for key '/home/username/.ssh/id_rsa': | |
|
79 | ||
|
80 | If you need to manually configure the ``authorized_keys`` file, | |
|
81 | add a line for each key using the following example: | |
|
82 | ||
|
83 | .. code-block:: vim | |
|
84 | ||
|
85 | command="/home/user/.rhodecode-ssh/sshwrapper.py --user username --shell", | |
|
86 | no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-rsa yourpublickey | |
|
121 | SVN_SSH="ssh -i ~/.ssh/id_rsa_test_ssh" svn checkout svn+ssh://rhodecode@rc-server/repo_name | |
|
87 | 122 |
|
|
88 | .. tip:: | |
|
89 | ||
|
90 | Best practice would be to create a special SSH user account with each | |
|
91 | users |authtoken| attached. | |
|
92 | ||
|
93 | |RCE| will manage the user permissions based on the |authtoken| supplied. | |
|
94 | This would allow you to immediately revoke all SSH access by removing one | |
|
95 | user from your server if you needed to. | |
|
96 | ||
|
97 | See the following command line example of setting this up. These steps | |
|
98 | take place on the server. | |
|
123 | For GIT: | |
|
99 | 124 | |
|
100 | 125 | .. code-block:: bash |
|
101 | 126 | |
|
102 | # On the RhodeCode Enterprise server | |
|
103 | # set up user and clone SSH tool | |
|
104 | $ sudo adduser testuser | |
|
105 | $ sudo su - testuser | |
|
106 | $ hg clone https://code.rhodecode.com/rhodecode-ssh | |
|
107 | $ cd rhodecode-ssh | |
|
108 | ||
|
109 | # Copy and modify the sshwrapper.ini as explained in step 4 | |
|
110 | $ cp sshwrapper.sample.ini sshwrapper.ini | |
|
127 | GIT_SSH_COMMAND='ssh -i ~/.ssh/id_rsa_test_ssh' git clone ssh://rhodecode@rc-server/repo_name | |
|
111 | 128 | |
|
112 | $ cd ~ | |
|
113 | $ mkdir .ssh | |
|
114 | $ touch .ssh/authorized_keys | |
|
115 | ||
|
116 | # copy your ssh public key, id_rsa.pub, from your local machine | |
|
117 | # to the server. We’ll use it in the next step | |
|
118 | ||
|
119 | $ python addkey.py --user testuser --shell --key /path/to/id_rsa.pub | |
|
120 | ||
|
121 | # Note: testssh - user on the rhodecode instance | |
|
122 | $ chmod 755 sshwrapper.py | |
|
123 | ||
|
124 | Test the connection from your local machine using the following example: | |
|
129 | For Mercurial: | |
|
125 | 130 | |
|
126 | 131 | .. code-block:: bash |
|
127 | 132 | |
|
128 | # Test connection using the ssh command from the local machine | |
|
129 | $ ssh testuser@my-server.example.com | |
|
133 | Add to hgrc: | |
|
134 | ||
|
135 | [ui] | |
|
136 | ssh = ssh -C -i ~/.ssh/id_rsa_test_ssh | |
|
137 | ||
|
138 | hg clone ssh://rhodecode@rc-server/repo_name |
General Comments 0
You need to be logged in to leave comments.
Login now