gerrit.wikimedia.org
Gitiles
Code ReviewSign In
gerrit.wikimedia.org / operations / debs / wmf-sre-laptop / 6da3349397359b932da662d45f3698f4cf0a41e5^! / .
commit6da3349397359b932da662d45f3698f4cf0a41e5[log] [tgz]
authorMoritz Mühlenhoff <mmuhlenhoff@wikimedia.org>Wed Feb 24 10:57:10 2021 +0100
committerMuehlenhoff <mmuhlenhoff@wikimedia.org>Wed Feb 24 09:59:04 2021 +0000
treef6f5c345b0537946b29964a50470466c8115fa0a
parent221df3d340ef11b19db310775bb19e037fa87294 [diff]
Update SSH docs after change to pull known hosts from config-master Change-Id: I69a444b4ecb3cad07b5c862caf8ca4d566245b2c
diff --git a/docs/wmf-laptop-sre/SETUP.ssh b/docs/wmf-laptop-sre/SETUP.ssh index 66c4f2d..479473c 100644 --- a/docs/wmf-laptop-sre/SETUP.ssh +++ b/docs/wmf-laptop-sre/SETUP.ssh
@@ -9,7 +9,7 @@ and store them in two separate files (e.g. ~/.ssh/id_wmf_prod and ~/.ssh/id_wmf_cloud) - Run update-ssh-config. It will patch your ssh config file, and start the two SSH agent -services via systemd.+ services via systemd. - Before using the SSH keys you need to load the keys into the SSH agents, unfortunately it's a bit hacky as ssh-add doesn't allow to specify the auth socket via an option, so@@ -24,19 +24,16 @@ mkdir ~/.ssh/known_hosts.d - We have a script which needs the known host information from bast2002.wikimedia.org. To initially- seed the data, you need to temporarily disable SSH host checking.+ We have a script which fetches the known host information, simply run+ "wmf-update-known-hosts-production", it will fetch all host keys via HTTPS from+ a central data store (https://config-master.wikimedia.org). - ssh -o StrictHostKeyChecking=ask bast2002.wikimedia.org- Compare the presented host fingerprint against- https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/bast2002.wikimedia.org. If it matches,- then type 'yes'.-- Then the same for restricted.bastion.wmflabs.org​- https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org​-​- Then run "wmf-update-known-hosts-production", it will fetch all host keys from bast2002. It needs to re-run whenever new hosts are added, either do it manually when you can't log into a host or setup a systemd timer (or cron). + For accessing the bastion for Cloud VPS/Toolforge (restricted.bastion.wmflabs.org),​+ no similar mechanism exists, you need to manually verify it using:++ https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org​+ You should now be able to login into Cloud VPS and production hosts.
Powered by Gitiles
txt
json