SSH

SSH Overview

SSH is a protocol designed to allow secure communication between hosts on the Internet. All SourceForge.net project services for developers (including file management and Git, Hg, and SVN write access) are provided using SSH.

SSH Clients

SourceForge.net supports two SSH clients: OpenSSH and PuTTY. OpenSSH is included with Windows, Linux, FreeBSD, Mac OS X. PuTTY is only available for Microsoft Windows users.

OpenSSH provides the following tools:

• ssh: command-line and interactive tool for interactive host access, executing commands on a remote host, wrapping other protocols (like Git) with SSH.
• scp: command-line file transfer client.
• sftp: interactive file transfer client.
• ssh-keygen: a tool for generating SSH keys.
• ssh-agent: a tool for storing SSH key credentials for authentication without prompting the user for key passwords.
• ssh-add: a tool for adding SSH key credentials to the agent (ssh-agent).

PuTTY provides the following tools:

• PUTTY.EXE: GUI tool for interactive host access. Similar purpose to the 'ssh' tool from OpenSSH.
• Plink.EXE: command-line/terminal-based tool used to execute commands on a remote host and wrap other protocols (like Git) with SSH; may be used in scripts. Similar purpose to the 'ssh' tool from OpenSSH.
• PSCP.EXE: command-line file transfer client; may be used in scripts. Similar purpose to the 'SCP' tool from OpenSSH.
• PSFTP.EXE: terminal-based file transfer client. Similar purpose to the 'sftp' tool from OpenSSH.
• PUTTYgen.EXE: a tool for generating SSH keys. Similar purpose to the 'ssh-keygen' tool from OpenSSH.
• PAGEANT.EXE: a tool for storing SSH key credentials for authentication. Similar purpose to 'ssh-add' and 'ssh-agent' tools from OpenSSH.

PuTTY, the SSH client, supported by SourceForge.net for Microsoft Windows users, does not include a GUI-based file transfer client. WinSCP, hosted on SourceForge.net, is an excellent file transfer tool with an easy-to-use graphical interface. WinSCP is compatible with the PuTTY tool suite.

Other SSH client suites exist but are not directly supported by SourceForge.net staff.

Host Access Authorization

All SSH-based services at SourceForge.net (including file management and Git, Hg, and SVN write access) are provided solely to members of Open Source software development projects hosted on SourceForge.net.

When users are added as members to a project, they are immediately granted permission to log in to the project shell servers via SSH.

Project administrators can grant developers write access to the project repositories or the project webspace. This permission is set when the developer is added to the project team and may be changed later.

The project permissions impact host access in the following manner:

• The project permissions set by the project administrator do not restrict users from logging in to the project shell service.
• Project permissions restrict the data that can be modified after logging in.
• Developers may only access repositories via SSH when granted write access to the repository.

If a developer is subsequently removed from a project by the project administrator, they will not lose their access to the project shell server, but they will be removed from the project group. This access persists to permit file retrieval.

SourceForge.net Hosts

Host Keys: As a further security improvement to authenticating a host via SSH, hosts will also authenticate themselves to your client. This authentication is done via host keys. SourceForge.net maintains a listing of fingerprints for all SSH-accessible hosts.

SourceForge.net Username

All SourceForge.net hosts will be accessed using the same username as your account on the SourceForge.net site (as specified during account registration). User accounts are provided on a per-user basis to developers, not per project; there are no user accounts for projects.

SSH Key Authentication

SSH authentication to SourceForge.net hosts is done using shared keys. Before you can access SSH-based services at SourceForge.net, you must generate and post SSH keys for your account. Detailed instructions are provided regarding SSH key generation. You must follow the provided instructions for generating and posting your SSH key as shared key support at SourceForge.net may differ from other implementations.

File Transfers

SSH-based file transfer tools are used to transmit project web content to the project shell servers. The tools available on most OS platforms support multiple file transfer methods. It would be best if you determined which tool is most appropriate for the file transfers you need to perform:

• SCP clients (SCP from OpenSSH, 'PSCP.EXE' from PuTTY) are command-line driven and may be used interactively or to automate file transfers within scripts.
• SFTP clients ('sftp' from OpenSSH, 'PSFTP.EXE' from PuTTY) are terminal-based and require user interaction to perform file transfers.
• Rsync over SSH may be used interactively or to automate file transfers within scripts. The benefit of using rsync is that file transfers may be aborted and resumed later, particularly important when transferring large files.
• WinSCP is a graphical file transfer client for Microsoft Windows users.

For documentation on those, please see these pages which contain settings and details:

• File Management
• SCP (Secure CoPy).
• SFTP (Secure FTP).
• Rsync over SSH.

PuTTY-Specific Instructions

Host sessions and SSH protocol version: The PuTTY suite allows you to create session profiles associated with hosts. This will enable you to easily manage the SSH settings used to access various hosts. This feature is equivalent to the settings in the /etc/ssh/ssh_config file used by OpenSSH. The protocol version set in the profile should match the protocol version of the SSH keys you are using to access that host.

Updates: As with any security-oriented software, it is important that you install updates provided by your software vendor. Most OpenSSH-supported platforms use automated updates to ensure security fixes are applied regularly. Since PuTTY is a third-party application, you should periodically check the PuTTY website for new updates to the application.

Troubleshooting

The following issues are common SSH-related problems; the provided troubleshooting instructions should be followed before reporting these types of issues to SourceForge.net staff.

For all issue types, you should review the verbose output of your SSH client to see if there are any leads to help you resolve the problem. Verbose output may be enabled using command-line options. The verbose output may be enabled for OpenSSH users using the -v option, i.e., ssh -v USERNAME@HOSTNAME. Verbose output may also be enabled using the -v option to the PLINK.EXE tool from PuTTY.
Connection problems can be caused by network outages, host outages, or firewall restrictions.
Authentication issues occur due to key issues and improper hostname and username specifications.
SSH host key mismatches are serious and may be caused either by a security compromise or by the misconfiguration of your SSH client.

Troubleshooting Authentication Issues

The following steps should be followed when authentication issues are encountered:

Are you a developer on a project? You can check that on the my SourceForge.net page. If no projects are listed under the My Projects heading, you are not eligible for access to these services.
Verify that the correct hostname is being used. A common error is to misspell the SourceForge.net domain name or to include your project's UNIX name in the hostname.
Verify that your username is specified correctly. Your username will be the same as the username used on the SourceForge.net site. Usernames are not issued for projects, only for individual developers.
SSH key agent must be loaded with your key. Your SSH key must be loaded into the SSH agent if it is not otherwise being loaded (OpenSSH will automatically load keys from specific files within your home directory).
If the provided tips do not resolve your authentication issue, don't hesitate to contact SourceForge.net staff by submitting a Support Request.

Troubleshooting SSH Host Key Mismatches

As a further security improvement to authenticating to a host via SSH, hosts will also authenticate themselves to your client. When you first connect to a host using SSH, your SSH client will ask you whether or not you want to accept the SSH key provided by the host.

At this time, you check the host key against the SSH host key listing published by SourceForge.net to make sure they match and that you are connecting to the correct host.

When you accept the host key, a copy of that key is stored on the disk for comparison during future connections to that host. If the key is found not to match in the future when connecting to the host, you will see a WARNING message that indicates a security issue.