| |
| This describes the setup using disk-based key store: |
| |
| |
| - Create two separate SSH keys for "production" and "cloud": |
| |
| ssh-keygen -t ed25519 |
| |
| and store them in two separate files (e.g. ~/.ssh/id_wmf_prod and ~/.ssh/id_wmf_cloud) |
| |
| - cp /usr/share/wmf-sre-laptop/ssh-client-config to ~/.ssh/config |
| |
| - Replace PRODUCTION_KEY and CLOUD_KEY with the names of the public SSH key identities |
| and USERNAME with your Wikimedia Developer shell username |
| |
| - Enable the systemd user units which start separate SSH agents for the two keys |
| (as your user, no sudo needed. This is a one time change) |
| |
| systemctl --user start ssh-agent@cloud.service |
| systemctl --user start ssh-agent@prod.service |
| |
| - Before using the SSH keys you need to load the keys into the SSH agents, unfortunately |
| it's a bit hacky as ssh-add doesn't allow to specify the auth socket via an option, so |
| best to add a small script which does: |
| |
| export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-prod.socket |
| ssh-add .ssh/id_wmf_prod |
| export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-cloud.socket |
| ssh-add .ssh/id_wmf_cloud |
| |
| - Finally we need to populate the known hosts file. First create the following directory: |
| |
| mkdir ~/.ssh/known_hosts.d |
| |
| We have a script which needs the known host information from bast2002.wikimedia.org. To initially |
| seed the data, you need to temporarily disable SSH host checking. |
| |
| ssh -o StrictHostKeyChecking=ask bast2002.wikimedia.org |
| Compare the presented host fingerprint against |
| https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/bast2002.wikimedia.org. If it matches, |
| then type 'yes'. |
| |
| Then the same for restricted.bastion.wmflabs.org |
| https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org |
| |
| Then run "wmf-update-known-hosts-production", it will fetch all host keys from bast2002. |
| It needs to re-run whenever new hosts are added, either do it manually when you can't log into |
| a host or setup a systemd timer (or cron). |
| |
| You should now be able to login into Cloud VPS and production hosts. |