SCMs typically support simple username and password combinations for authentication. However, in FishEye and Crucible, more complex authentication styles are supported for the following repository types:

The configuration of these authentication styles in FishEye is described below. Note, the authentication style can also be configured as part of a particular repository's definition.

(info) Although Subversion supports more complex authentication styles like ssh and ssl certificate authentication, these are not currently configurable in FishEye. When using the bundled svnkit library, these are typically configured using Java property definitions.

On this page:

Authentication Styles

The authentication styles are configured as part of a particular repository definition.

There are four authentication styles for a repository:

When a FishEye repository type supports these authentication styles, you will see an Authentication section during repository configuration (e.g. the "Mercurial Authentication" section in the screenshot below). This section will be available when initially defining a repository configuration and also in the "SCM Details" section when maintaining a repository.

Screenshot: Selecting an Authentication Style

No Authentication

 

This is, the simplest authentication style. It means that FishEye can connect to the repository using Git or Mercurial without any credentials or authentication. If you have supplied credentials via another mechanism (such as ssh-agent or a default passphraseless private key for a ssh connection) Git or Mercurial will use this automatically.

This option is appropriate for,

  1. public repositories which grant read-only access to anonymous users, or
  2. internal repositories on a secure network which allow anonymous reads to network users, or
  3. repositories which are accessible to the FishEye server on the local filesystem.


Screenshot: No Authentication selected for a local repository

FishEye's access to repositories is always read-only, so it can easily be used with repositories which only require authentication and authorisation for write operations.

  • If you specify "No Authentication" but enter a repository URL which includes a username and password, FishEye will remove the password from the URL and set the authentication style to "Password", storing the password specified in the password field.

Generate Key Pair for SSH

 

This is the most secure option for ssh access, as the private key is never transmitted across the network. If you want to manage repository access using SSH keys, you can choose this style of authentication to have FishEye generate and manage the public/private key pair for you.

Click the 'Generate' button to generate the key pair (see "Generating a SSH key pair" screenshot below). FishEye will generate and store the public and private key pair. The key is specific to the repository being indexed.

Screenshot: Generating a SSH key pair

The public key will be displayed to allow you to copy it to your repository server and to associate the key with your user account (see "Public Key of Generated Key displayed" screenshot below). The private key is stored by FishEye and never exposed to users or admininstrators.

Screenshot: Public Key of Generated Key displayed

If you wish to change the key, you can remove the existing key by clicking the 'Remove' link and then generate a new key.

When using SSH keys, you will typically specify a username as part of the URL you use to access the repository.

Public hosting systems such as Bitbucket and GitHub provide simple web-based mechanisms for associating public keys with your account. For these systems, a generic username is used in the repository URL and it is the key that determines the account. See the screenshots below for examples of how to associate keys with Bitbucket and GitHub accounts.

Screenshot: Key management on Bitbucket

Screenshot: Key management on GitHub

Upload Private Key for SSH

 

If you are using SSH keys for repository access and already have an SSH key or you would prefer to manage your SSH keys yourself, this authentication style allows you to upload the private key to FishEye. Please note however, that FishEye can only use passphrase-less SSH keys (To vote for support for private keys with passphrases, see http://jira.atlassian.com/browse/CRUC-5579).

Generating a key within FishEye, as described above, is our preferred approach to using SSH keys. We believe it is advisable to use a private key for a single purpose. Different access needs should use different keys. This option should only be used if you must use an existing key.

If you choose to use this option, you will be transmitting your private key across the network to your FishEye server. We strongly recommend that you enable https for Fisheye before you do this.

The private key is uploaded by your web browser file upload operation. As soon as FishEye completes the file upload, it verifies that the provided key is in fact a valid private SSH key and that it does not have a passphrase. If you wish to change the stored key you must remove the current key by clicking the 'Remove' link and then upload the new key.

Screenshot: Private Key Upload

(tick) Tip: If you are uploading under OSX and using 10.6 or later, you can press command-shift-period to display hidden files and directories. This makes it easier to access ssh key files stored in their default .ssh directory

パスワード

 

This authentication style is used when using http/https to access your repository with a username and password. For these repositories, the repository URL includes the username for the account and the password is configured in the 'Password' field (see "Password Authentication" screenshot below).

Screenshot: Password Authentication

It is possible to specify both the username and password in a repository URL. If you do this FishEye will warn you to remove the password from the URL definition, as it would conflict with the password specified in the password field. When using password authentication, FishEye will always manage the password separately from the repository URL.

Screenshot: Do not provide password in URL

  • For git repositories, when using http basic authentication, git must be compiled with libcurl support. If this is not the case, authentication will fail with a message similar to:
    error: git was compiled without libcurl support.
    You will need to update your git installation or select an alternative authentication style.
  • Password authentication using ssh is not currently supported by FishEye. You must use a key when using ssh.

注意

Security Considerations when using SSH Key Pairs

 

The Generate Key Pair for SSH option is the safest option to use, as private keys are never transmitted across the network. If an attacker gains access to your private key, they have access to all the services that allow that keypair.

Since FishEye only requires read access to your accounts, it is best to create a user that only has read access to the repositories you want to index and add the public key to their account settings. This way, even if the private key is compromised, while your source can be accessed, you can easily revoke that user's access and/or remove their public keys and the attacker will not be able to change or modify any of your data.

Using ssh-agent

 

If you are using a Unix style system with SSH key authentication and do not want to perform key management in FishEye at all, it is possible to launch FishEye in the context of an ssh-agent process. When FishEye launches sub-processes to interact with the repository, the ssh command in those sub-processes will inherit access to the ssh keys in the ssh-agent process. This approach would allow you to use ssh keys with passphrases. Please refer to your operating system documentation for more information on ssh-agent.

SSH Connectivity Tools under Windows

 

If your FishEye installation is using Windows, you must use OpenSSH for SSH connectivity, rather than alternatives like TortoiseHg or Putty.