gerrit.wikimedia.org
Gitiles
Code ReviewSign In
gerrit.wikimedia.org / operations / debs / wmf-sre-laptop / 4963735e33192ab4e843febac981b8d64c37d3a0 / . / docs / SETUP.ssh
blob: f67c19fbb899964d800c21925bf56f6cfdde7e94 [file] [log] [blame]
This describes the setup using disk-based key store:
- Create two separate SSH keys for "production" and "cloud":
ssh-keygen -t ed25519
and store them in two separate files (e.g. ~/.ssh/id_wmf_prod and ~/.ssh/id_wmf_cloud)
- cp /​usr​/​share​/​wmf​-​sre​-​laptop​/​ssh​-​client​-​config to ~/.ssh/config
- Replace PRODUCTION_KEY and CLOUD_KEY with the names of the public SSH key identities
and USERNAME with your Wikimedia Developer shell username
- Enable the systemd user units which start separate SSH agents for the two keys
(as your user, no sudo needed. This is a one time change)
systemctl --user start ssh-wmf-cloud.service
systemctl --user start ssh-wmf-prod.service
- Before using the SSH keys you need to load the keys into the SSH agents, unfortunately
it's a bit hacky as ssh-add doesn't allow to specify the auth socket via an option, so
best to add a small script which does:
export SSH_AUTH_SOCK​=​/run/​user​/​1000​/​ssh​-​wmf​-​prod​.​socket
ssh-add .ssh/id_wmf_prod
export SSH_AUTH_SOCK​=​/run/​user​/​1000​/​ssh​-​wmf​-​cloud​.​socket
ssh-add .ssh/id_wmf_cloud
- Finally we need to populate the known hosts file. First create the following directory:
mkdir ~/.ssh/known_hosts.d
We have a script which needs the known host information from bast2002.wikimedia.org. To initially
seed the data, you need to temporarily disable SSH host checking.
ssh -o StrictHostKeyChecking​=​ask bast2002.wikimedia.org
Compare the presented host fingerprint against
https​:​//wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/bast2002.wikimedia.org. If it matches,
then type 'yes'.
Then the same for restricted​.​bastion​.​wmflabs​.​org
https​:​//wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org
Then run "wmf-update-known-hosts-production"​, it will fetch all host keys from bast2002.
It needs to re-run whenever new hosts are added, either do it manually when you can't log into
a host or setup a systemd timer (or cron).
You should now be able to login into Cloud VPS and production hosts.
Powered by Gitiles
txt
json