SSH

SSH Overview

SSH is a protocol designed to allow secure communication between hosts on the Internet. All SourceForge.net project services for developers (including shell service and Git, Hg, and SVN write access) are provided using SSH.

SSH Clients

SourceForge.net supports two SSH clients: OpenSSH and PuTTY. OpenSSH is included with Linux, FreeBSD, Mac OS X, and Cygwin (which runs on Microsoft Windows platforms). PuTTY is available for Microsoft Windows users.

OpenSSH provides the following tools:

• ssh: command-line and interactive tool for interactive host access, executing commands on a remote host, wrapping other protocols (like Git) with SSH.
• scp: command-line file transfer client.
• sftp: interactive file transfer client.
• ssh-keygen: tool for generating SSH keys.
• ssh-agent: tool for storing SSH key credentials for authentication without prompting the user for key passwords.
• ssh-add: tool for adding SSH key credentials to the agent (ssh-agent).

PuTTY provides the following tools:

• PUTTY.EXE: GUI tool for interactive host access. Similar purpose to the 'ssh' tool from OpenSSH.
• Plink.EXE: command-line/terminal-based tool used for executing commands on a remote host and wrapping other protocols (like Git) with SSH; may be used in scripts. Similar purpose to the 'ssh' tool from OpenSSH.
• PSCP.EXE: command-line file transfer client; may be used in scripts. Similar purpose to the 'scp' tool from OpenSSH.
• PSFTP.EXE: terminal-based file transfer client. Similar purpose to the 'sftp' tool from OpenSSH.
• PUTTYgen.EXE: tool for generating SSH keys. Similar purpose to the 'ssh-keygen' tool from OpenSSH.
• PAGEANT.EXE: tool for storing SSH key credentials for authentication. Similar purpose to 'ssh-add' and 'ssh-agent' tools from OpenSSH.

PuTTY, the SSH client supported by SourceForge.net for Microsoft Windows users, does not include a GUI-based file transfer client. WinSCP, hosted on SourceForge.net, is an excellent file transfer tool, which has an easy-to-use graphical interface. WinSCP is compatible with the PuTTY tool suite.

Other SSH client suites exist, but are not directly supported by SourceForge.net staff.

Host Access Authorization

All SSH-based services at SourceForge.net (including shell service and Git, Hg, and SVN write access) are provided solely to members of Open Source software development projects hosted on SourceForge.net.

When a user is added as a member to a project, they are immediately granted permission to login to the project shell servers via SSH.

Project administrators are able to grant developers write access to the project repositories or to the project web space. This permission is set when the developer is added to the project team and may be changed later.

Project permissions impact host access in the following manner:

• The project permissions set by the project administrator do not restrict users from logging-in to the project shell service.
• Project permissions restrict the data that can be modified after logging-in.
• Developers may only access repositories via SSH when they have been granted write access to the repository.

If a developer is subsequently removed from a project by the project administrator, they will not lose their access to the project shell server, but they will be removed from the project group. This access persists as to permit file retrieval.

SourceForge.net Hosts

The following hostnames may be used to access SourceForge.net developer services via SSH:

• shell.sourceforge.net: The project shell servers are provided to allow projects to manage their project web content. Interactive access, file transfers and remote command execution are possible.

Host Keys: As a further security improvement to the process of authenticating to a host via SSH, hosts will also authenticate themselves to your client. This authentication is done via host keys. SourceForge.net maintains a listing of fingerprints for all SSH-accessible hosts.

SourceForge.net Username

All SourceForge.net hosts will be accessed using the same username as your account on the SourceForge.net site (as specified during account registration). User accounts are provided on a per-user basis to developers, not on a per-project basis; there are no user accounts for projects.

SSH Key Authentication

SSH authentication to SourceForge.net hosts is done using shared keys. Before you can access SSH-based services at SourceForge.net, you will need to generate and post SSH keys for your account. Detailed instructions are provided regarding SSH key generation. It is important that you follow the provided instructions for generating and posting your SSH key as shared key support at SourceForge.net may differ from other implementations.

Interactive SSH Sessions

Interactive SSH access allows for users to connect to a remote host and access a shell, where they may run commands. Interactive access is provided on the project shell servers.

To get interactive access to SourceForge.net host, you must generate and post your SSH key and then use an SSH client to login to the host. This process varies depending on what client you are using. Graphical clients typically have fields that need such information as:

port: 22
hostname: shell.sourceforge.net
protocol: SSH2 or SSH1 (SSH2 preferred)
username: Your SourceForge.net username
password: Your SourceForge.net password
A typical connection using a non-graphical client will look similar to the following (replace 'ssh' with 'plink' if using the PuTTY suite instead of OpenSSH):

All commands are executed from a command prompt on your workstation. The caps words should be replaced with your username.

$ ssh -t USERNAME@shell.sourceforge.net create

An example of trying to connect to the shell server with an example username of bob

$ ssh -t bob@shell.sourceforge.net create

Not sure what to do after logging-in? Basic instructions on using the shell to interactively perform common operations on the shell server are provided.

File Transfers

SSH-based file transfer tools are used to transmit project web content to the project shell servers. The tools available on most OS platforms support multiple file transfer methods. You should determine which tool is most appropriate for the file transfers you need to perform:

• SCP clients ('scp' from OpenSSH, 'PSCP.EXE' from PuTTY) are command-line driven and may be used interactively or to automate file transfers within scripts.
• SFTP clients ('sftp' from OpenSSH, 'PSFTP.EXE' from PuTTY) are terminal-based and require user interaction to perform file transfers.
• Rsync over SSH may be used interactively or to automate file transfers within scripts. The benefit of using rsync is that file transfers may be aborted and resumed later; particularly important when transferring large files.
• WinSCP is a graphical file transfer client for Microsoft Windows users.

For documentation on those, please see these pages which contain settings and details:

• File Management
• SCP (Secure CoPy).
• SFTP (Secure FTP).
• Rsync over SSH.

X11 Forwarding

X11 forwarding is not supported by any SourceForge.net host. Outbound connectivity from SourceForge.net hosts is heavily restricted, preventing remote display from X11 applications. The X11 forwarding feature of SSH is not enabled or supported.

PuTTY-Specific Instructions

Host sessions and SSH protocol version: The PuTTY suite allows you to create session profiles that are associated with hosts. This allows you to easily manage the SSH settings used to access various hosts. This feature is equivalent to the settings in the /etc/ssh/ssh_config file used by OpenSSH. Protocol version set in the profile should match the protocol version of the SSH keys you are using to access that host.

Updates: As with any security-oriented software, it is important that you install updates provided by your software vendor. Automated updates are used by most OpenSSH-supported platforms to ensure security fixes are applied regularly. Since PuTTY is a third-party application, you should regularly check the PuTTY site for new updates to the application.

Troubleshooting

Issues with the usage of SSH should be reported to SourceForge.net Staff by submitting a Support Request.

Host outages are announced on the Site Status page. Issues listed on these status pages should not be reported.

Please upgrade your SSH client to the newest revision before reporting problems. SourceForge.net hosts are kept on the latest vendor-supplied SSH server releases; occassionally these upgrades will break backward compatibility. Keeping your system up-to-date is important to ensure compatibility with other hosts on the Internet and to eliminate potential security vulnerabilities.

The following issues are common SSH-related problems; the provided troubleshooting instructions should be followed before reporting these types of problems to SourceForge.net staff.

For all issue types, you should review the verbose output of your SSH client to see if there are any leads to help you resolve the problem. Verbose output may be enabled using command-line options. For OpenSSH users, verbose output may be enabled using the -v option; i.e. ssh -v USERNAME@HOSTNAME. Verbose output may also be enabled using the -v option to the PLINK.EXE tool from PuTTY.
Connection problems can be caused by network outages, host outages, or firewall restrictions.
Authentication issues occur due to key issues, and improper hostname and username specifications.
SSH host key mismatches are serious, and may be caused either by a security compromise or by misconfiguration of your SSH client.
Troubleshooting Connection Problems
SourceForge.net hosts use the standard TCP port of 22 for all SSH operations.

Connection problems to SourceForge.net hosts cannot be diagnosed using PING or traceroute due to the design of the SourceForge.net network. SourceForge.net hosts will respond to a limited total number of PING packets each second. Our firewall will drop most PING packets without response. PING and traceroute cannot be used to test host access or network connection problems.

Troubleshooting Authentication Issues

The following steps should be followed when authentication issues are encountered:

Are you a developer on a project? You can check that on the my SourceForge.net page. If no project's are listed under the My Projects heading, you are not eligible for access to any of these services.
Verify that the correct hostname is being used. A common error is to misspell the SourceForge.net domain name or to include your project's UNIX name in the host name.
Verify that your username is properly specified. Your username will be the same as the username used on the SourceForge.net site. Usernames are not issues for projects, only for individual developers.
SSH protocol version must match key type. SourceForge.net hosts support both the SSH1 and SSH2 protocols. You must connect to the host using the same SSH protocol version as was used for your SSH key.
SSH key agent must be loaded with your key. Your SSH key must be loaded in to the SSH agent if it is not otherwise being loaded (OpenSSH will automatically load keys from specific files within your home directory).
If the provided tips to not resolve your authentication issue, please contact SourceForge.net staff by submitting a Support Request.

Troubleshooting SSH Host Key Mismatches

As a further security improvement to the process of authenticating to a host via SSH, hosts will also authenticate themselves to your client. When you first connect to a host using SSH, your SSH client will ask you whether or not you want to accept the SSH key provided by the host.

At this time, you check the host key against the SSH host key listing published by SourceForge.net, to make sure they match and that you are connecting to the right host.

When you accept the host key, a copy of that key is stored on-disk for comparison during future connections to that host. If the key is found not to match in the future when connecting to the host, will see a WARNING message that indicates a security issue. These issues are serious and should be handled using the instructions provided for handling host key change warnings.

We have provided more information on Key Change Warnings, throughout these docs.