How to set up your ssh access

Setting up your ssh access will depend on whether you’re using your PGP Auth subkey for ssh purposes, a FIDO2 key, or if you were issued a private key from kernel.org.

If you sent in your FIDO2 ssh key

See 2-factor auth with FIDO2 keys for detailed information on setting up FIDO2 keys.

You should just need the following in your .ssh/config:

Host gitolite.kernel.org
  User git
  IdentityFile ~/.ssh/id_ed25519_sk
  # You can specify your backup key as well, if you created one
  # They will be tried in the order specified
  #IdentityFile ~/.ssh/id_ed25519_sk_backup
  # Only use the keys listed above, not any others
  IdentitiesOnly yes
  # Don't try to use the ssh agent for PIN-protected cards
  IdentityAgent none
  # Don't forward my ssh agent to the remote
  ClearAllForwardings yes
  # Establish a persistent connection to avoid constantly having to
  # re-authenticate with PIN and touch
  ControlMaster auto
  # Close the connection after 1H of inactivity (adjust as needed)
  ControlPersist 1H
  ControlPath ~/.ssh/cm-%r@%h:%p
  # Send a null packet every 60 seconds (this helps with many NAT routers)
  ServerAliveInterval 60

To verify if everything is working, run ssh git@gitolite.kernel.org help.

If you received a ssh private key from kernel.org

Follow this procedure if you received an encrypted tarball containing the SSH private key to use for accessing your kernel.org account. Place that private key into your ~/.ssh directory, e.g.:

cp korg-username ~/.ssh/id_korg

You can change the automatically generated key passphrase using ssh-keygen -p.

Important

You should always keep your ssh key protected by a passphrase.

Add the following entries into your .ssh/config:

Host gitolite.kernel.org
  User git
  IdentityFile ~/.ssh/id_korg
  IdentitiesOnly yes
  ClearAllForwardings yes
  ControlPath ~/.ssh/cm-%r@%h:%p
  ControlMaster auto
  ControlPersist 1H
  ServerAliveInterval 60

If we used your PGP Authentication subkey

If we found an Authentication ([A]) subkey on your PGP key, then we have set up your access to use that key, instead of creating new ssh private keys. This is what you need to do to configure your ssh client to use that subkey:

Add this to your .bashrc:

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

You will need to kill the existing gpg-agent process and start a new login session for the changes to take effect:

$ killall gpg-agent
$ bash
$ ssh-add -L

The first entry in the output should be the ssh public key derived from your PGP Auth subkey – it should have “cardno:XXXXXXXX” at the end in the comment section.

Now add this to your .ssh/config:

Host gitolite.kernel.org
  User git
  ClearAllForwardings yes
  ControlPath ~/.ssh/cm-%r@%h:%p
  ControlMaster auto
  ControlPersist 1H
  ServerAliveInterval 60

To verify if everything is working, run ssh git@gitolite.kernel.org help.

Connecting from networks that block port 22

If you are on a network that blocks outbound port 22 and running a VPN is not an option, gitolite.kernel.org also listens on ports 2222 and 443.

Try port 2222 first by adding a Port directive to your ~/.ssh/config entry:

Host gitolite.kernel.org
  User git
  Port 2222
  ...

If port 2222 is also blocked, you can try port 443:

Host gitolite.kernel.org
  User git
  Port 443
  ...

Note

Port 443 may not work reliably on networks that use deep packet inspection. Such networks can detect SSH traffic arriving on the HTTPS port and block the connection. If that happens, using a VPN that obfuscates its traffic may be your only option.

SSH host fingerprints

Your kernel.org account grants you access to gitolite.kernel.org, which you will use both for accessing your git trees (see How to use gitolite) and for uploading tarball releases (see Using kernel.org uploader (kup)).

Key	MD5 Fingerprint
RSA	`MD5:b1:33:44:9d:3f:77:59:14:f8:05:d7:33:5d:b1:40:7b`
ECDSA	`MD5:7c:a6:a2:e0:96:5f:e2:9a:9b:53:b6:41:29:66:f8:47`
ED25519	`MD5:30:f1:e6:8f:ff:76:45:e7:5b:45:b0:bd:bd:ca:14:9c`

Key	SHA256 Fingerprint
RSA	`SHA256:S1b2ARCfjjhsPJeqbCwkG+2ukBPCApogEfRTkVqEj4g`
ECDSA	`SHA256:n5cYLTSXgZ97jR9DfOcFxHeHAt3BBqU89TpTQspqFxo`
ED25519	`SHA256:KTfZsrwphTMpYOYr0Acfdk25gtg6zui3Oh8QOawAm5M`

Here they are PGP-signed:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# ssh-keygen -E sha256 -lf <(ssh-keyscan gitolite.kernel.org)
2048 SHA256:S1b2ARCfjjhsPJeqbCwkG+2ukBPCApogEfRTkVqEj4g gitolite.kernel.org (RSA)
256  SHA256:n5cYLTSXgZ97jR9DfOcFxHeHAt3BBqU89TpTQspqFxo gitolite.kernel.org (ECDSA)
256  SHA256:KTfZsrwphTMpYOYr0Acfdk25gtg6zui3Oh8QOawAm5M gitolite.kernel.org (ED25519)

# ssh-keygen -E md5 -lf <(ssh-keyscan gitolite.kernel.org)
2048 MD5:b1:33:44:9d:3f:77:59:14:f8:05:d7:33:5d:b1:40:7b gitolite.kernel.org (RSA)
256  MD5:7c:a6:a2:e0:96:5f:e2:9a:9b:53:b6:41:29:66:f8:47 gitolite.kernel.org (ECDSA)
256  MD5:30:f1:e6:8f:ff:76:45:e7:5b:45:b0:bd:bd:ca:14:9c gitolite.kernel.org (ED25519)
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCZtipmgAKCRC2xBzjVmSZ
bMoOAQCrHcd3B7ddx5qoF2eKCV3zDRYKPApTyuaRFOg1rm5yBAEA57ZebTHwiN9G
rd4YTmJ6RfVLWEhuwSLyCzUXhT0/Ugo=
=d0xn
-----END PGP SIGNATURE-----