Accessing DAVE Embedded Systems restricted git repositories

From DAVE Developer's Wiki
Jump to: navigation, search


Info Box
VirtualMachine.png Applies to DVDK
VirtualMachine.png Applies to MVM


Introduction

Generally speaking, source code maintained by DAVE Embedded Systems is delivered to customers via restricted-access git repositories. To access these repositories a public key is required, as described in the following section.

On explicit request, DAVE Embedded Systems also provide https access to its repositories. Please see the https section below for more information.

Public key access

Public key is the default authorization system for our git repositories. User needs to generate a RSA key pair and send the public key to the support team, which will grant access to the specific repository.

RSA key generation

Please follow this procedure to generate the RSA ssh key. It is assumed that the host machine is Linux-based (such as DVDKs and MVMs).

  • pick you main corporate e-mail and use it instead of myname@mycompany.com in the examples below
  • start the host machine and log in into it
  • start a shell session (usually with CTRL-ALT-T)
  • enter the .ssh subdirectory into your home directory: cd ~/.ssh/
  • launch the following command:
ssh-keygen -t rsa -C "myname@mycompany.com" -f myname@mycompany.com
  • this command creates the files ~/.ssh/myname@mycompany.com (private key) and ~/.ssh/myname@mycompany.com.pub (public key)
  • edit your ~/.ssh/config by adding the following lines:
Host git.dave.eu
    User git
    Hostname git.dave.eu
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/myname@mycompany.com


  • Send the request for the creation of a new public git account associated to your username, to the following support email address: support@dave.eu. Please indicate in the subject the name of the product and/or the development kit. The technical support team will enable the account and send you a confirmation as soon as possible.
  • Once you have the confirm that your account has been enabled, the easier way to check that everything is configured correctly is to run the following command on you development workstation
ssh git@git.dave.eu

The output will show you not only that you have successfully login into DAVE Embedded Systems' git server but also which repository you can access and with what access rights. In the following example the user have access all XUELK repository in read-only mode:

bash# ssh git@git.dave.eu
PTY allocation request failed on channel 0
hello YOURNAME, this is gitolite 2.2-1 (Debian) running on git 1.7.9.5
the gitolite config gives you the following access:
     R     	lynx/..*
Connection to git.dave.eu closed.

Troubleshooting

In case of trouble use ssh verbose mode by using -vvv command line switch (ssh -vvv git@git.dave.eu) and send its output text to DAVE Embedded Systems' support team.

Server fingerprint

When establishing the fist ssh connection, the default behavior of Linux ssh clients is to ask about ECDSA fingerprint confirmation, which will look like the following:

bash# ssh git@git.dave.eu
The authenticity of host 'git.dave.eu (46.252.156.152)' can't be established.
ECDSA key fingerprint is ff:1b:14:0e:f8:89:af:40:52:18:6e:9f:6f:1f:a7:d4.
Are you sure you want to continue connecting (yes/no)? 

or:

bash# ssh git@git.dave.eu
The authenticity of host 'git.dave.eu (46.252.156.152)' can't be established.
ECDSA key fingerprint is SHA256:P3RfK2M6ICVfvzKAozujgMopvos7Ls897qG/FqInr54.
Are you sure you want to continue connecting (yes/no)? 

Current git.dave.eu ECDSA fingerprint are listed below:

Hash Fingerprint
SHA256 P3RfK2M6ICVfvzKAozujgMopvos7Ls897qG/FqInr54
MD5 ff:1b:14:0e:f8:89:af:40:52:18:6e:9f:6f:1f:a7:d4

In case of server move (e.g. to improve it's performance), serve side RSA keys, and this its signatures, will get updated too. In this case standard ssh clients will refuse to connect showing a warning like the following:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The ECDSA host key for git.dave.eu has changed,
and the key for the corresponding IP address xxx.xxx.xxx.xxx
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /home/user/.ssh/known_hosts:24
  remove with: ssh-keygen -f "/home/user/.ssh/known_hosts" -R xxx.xxx.xxx.xxx
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
ff:1b:14:0e:f8:89:af:40:52:18:6e:9f:6f:1f:a7:d4.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:31
  remove with: ssh-keygen -f "/home/user/.ssh/known_hosts" -R git.dave.eu
ECDSA host key for git.dave.eu has changed and you have requested strict checking.
Host key verification failed.

In this case:

  • take a look on this page to check the ECDSA signature
  • if the signature corresponds, use the following command to clear the obsolete local cached signature
ssh-keygen -f ~/.ssh/known_hosts -R git.dave.eu

Upon next connection, ssh client will prompt the user to confirm ECDSA signature like it was the first time connecting to the server.

Your Identity

The first thing you should do when you install git is to set your user name and email address. This is important because every git commit uses this information, and they are written into your commits:

git config --global user.name "Name Surname"
git config --global user.email myname@mycompany.com

Please find documentation here and here for more information.

HTTPS access

Some organization filter all outgoing Internet communication apart the one using standard HTTP/HTTPS well known ports (TCP 80 and 443). This will prevent also SSH connection (TCP 22) and, thus, will not allow to access DAVE Embedded Systems' git repositories using the public key authentication method.

To let those organization access git server, we also provide HTTPS connection, using a standard username/password pair.

Access credential

Access credential are generated on-demand by DAVE Embedded Systems support team. If you need https access, write an email to us and we'll generate the credential for you.

Please note that username and password cannot be reset neither recovery without contacting the support team via email

Git URI mapping

The default access to our git repositories is via public key and, thus SSH. For this reason all the GIT URI on our documentation (in all forms) are the ssh one. However there's a simple rule to map SSH URI to HTTPS URI as follows

SSH URI HTTPS URI
git@git.dave.eu:project/repository.git https://git.dave.eu/git/project/repository.git

E.g. git@git.dave.eu:lynx/linux-2.6-imx.git can be accesses via https as https://git.dave.eu/git/lynx/linux-2.6-imx.git

Username/password caching

By default, every git command executed via https on git.dave.eu will ask for the username/password couple. This might be annoying and a simple workaround is to let git cache your credential on the current shell for a given time.

First of all enable credential caching, in your global git configuration, e.g.:

git config credential.helper cache

User can change the default cache drop timeout by adding --timeout=secs paramater. E.g. the following command set caching timeout to 5 minutes:

git config credential.helper 'cache --timeout=300'

For more information, see the official git documentation