This lesson is in the early stages of development (Alpha version)

Credentials

Overview

Teaching: 10 min
Exercises: 15 min
Questions
  • How do I add my credentials?

Objectives
  • Add your credentials to CERN’s Gitlab

NOTE: This is also documented elsewhere

See the gitlab documentation on the same topic

This episode assumes

  • You’re familear with git add and git commit
  • You already have an example local repository with a README file

In this episode we’ll finally get to putting something in gitlab. Of course if you’re going to put something on gitlab, you have to have a way to convince gitlab who you are. This is where authentication comes in.

Authentication: Several Options

There are a few ways to authenticate yourself, depending on the precise communication protocol that you want to use. Each of these has benefits and drawbacks.

Passwords (https:)

This is probably the method you’re most familiar with: every time you interact with gitlab, you’ll be prompted to enter a password. This is the authentication method when you use “https” to communicate with gitlab.

Advantages:

Disadvantages:

Note that while the communication is technically encrypted, the only way that gitlab can identify you is through your password. It turns out that there are much smarter ways to do this.

Public Key Cryptography (ssh)

If you don’t know much about public key cryptography it’s probably worth reading the wikipedia page on the subject. In essence it’s a bit of cryptograpic magic that enables secure communication without ever letting your “password” leave your laptop. Instead you’ll generate a key pair: the “private” key lives on your laptop, while the “public” one gets uploaded to gitlab.

In gitlab, this is supported via the “ssh” authentication method.

Advantages:

Disadvantages:

Since it’s more secure than passwords, automated transactions via ssh aren’t considered bad practice and are in fact encouraged. We’ll use this method by default since it streamlines an operation that you’ll have to do hundreds of times over the next few days.

Kerberos (krb5)

Kerberos offers the best, or worst, of both worlds:

It requires some less-than-standard packages as well. This is the default method at CERN1 but we won’t use it here.

Setting up ssh

Because the ssh authentication protocol is secure and common, that is the method that we will configure here and which is commonly used in ATLAS.

Chances are you might already have one of these pairs kicking around. The public key usually lives in ~/.ssh/id_rsa.pub, whereas the private key is usually called ~/.ssh/id_rsa. If you already have these, you can skip to the next section.

If you don’t have a keypair, you can generate one now (other documentation on how to do this)

ssh-keygen -f ~/.ssh/id_rsa -N '' -C 'test@cern.ch'

If you leave off -f the utility will prompt you to give a location for the file, but the default (~/.ssh/id_rsa) should be fine. The -N option means that we won’t use a password, and the -C option specifies a “comment”. The comment is for your own records: using your email address is a good way to ensure that everyone knows who it belongs to.

Now let’s look at your public key:

cat ~/.ssh/id_rsa.pub

should print something similar to

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+AhAzgscltRnYdGI1KTz3H5jr2d/tkgmCK1GxytDYdO4HQdCOpn7pZHK1UcTScW03LrAP8Fbye+QfAVZszeiCOdMy6Emo45HjX2T2nL8zO6OxCXutruOavyFMYu4xfpZ830wJ/wLv0D58plzTrifxkzuvZEnPNr+3ytWf7jUipWbrFExcm+AfyCEc+SYnIYcp+nBlNzUKTCX06EX4uy3PFMaqaGI1+9/bckiu0QHLJei6sAHPdcv8wN18HkLqwjORmVbJOVPEsxRgTXQ35e7DQB9OBqQcEbQ2QIBMKDG7YV5yQ/0kOPbxGIGXnUoas0ZqeaK5gnAP26VlAfMeGOn5 test@cern.ch

Note the test@cern.ch at the end.

Application Specific Keys

We said earlier that you should never share your private key with anyone. This isn’t always practical: sometimes you might need your private key on a server somewhere, for example.

But if your private key becomes compromised, you’ll have to delete your private key everywhere to make sure no steals your identy. You can make this slightly less likely by generating a key just for gitlab. Instead of using the default key location, use something like ~/.ssh/gitlab. Then tell your computer to use the gitlab key when connecting to Gitlab by adding this to your .ssh/config file:

Host gitlab.cern.ch
 User git
 Hostname gitlab.cern.ch
 IdentityFile ~/.ssh/gitlab

Now that you have the keypair, we’ll have to upload the public key to Gitlab.

Uploading your public key

You can upload your key via the gitlab interface. The instructions there should be pretty clear: open the .ssh/*.pub file with your text editor, and copy it into the “key” field. Give the key a name that describes where it came from, i.e. “laptop ssh key”.

Notes

  1. CERN’s use of Kerberos is most obvious if you use the AFS file system (you do if you have a home area on lxplus). Beyond AFS few services require it. There is an ongoing effort to phase out AFS entirely but this is unlikely to happen before run LHC 4. 

Key Points

  • Use your .ssh/id_rsa and .ssh/id_rsa.pub keys to verify your identy to CERN