Gitiles
Code Review Sign In
gerrit.wikimedia.org / operations / debs / wmf-sre-laptop / 6da3349397359b932da662d45f3698f4cf0a41e5^! / .
commit6da3349397359b932da662d45f3698f4cf0a41e5[log] [tgz]
authorMoritz Mühlenhoff <mmuhlenhoff@wikimedia.org>Wed Feb 24 10:57:10 2021 +0100
committerMuehlenhoff <mmuhlenhoff@wikimedia.org>Wed Feb 24 09:59:04 2021 +0000
treef6f5c345b0537946b29964a50470466c8115fa0a
parent221df3d340ef11b19db310775bb19e037fa87294 [diff]
Update SSH docs after change to pull known hosts from config-master

Change-Id: I69a444b4ecb3cad07b5c862caf8ca4d566245b2c

diff --git a/docs/wmf-laptop-sre/SETUP.ssh b/docs/wmf-laptop-sre/SETUP.ssh
index 66c4f2d..479473c 100644
--- a/docs/wmf-laptop-sre/SETUP.ssh
+++ b/docs/wmf-laptop-sre/SETUP.ssh

@@ -9,7 +9,7 @@
   and store them in two separate files (e.g. ~/.ssh/id_wmf_prod and ~/.ssh/id_wmf_cloud)
 
 - Run update-ssh-config. It will patch your ssh config file, and start the two SSH agent 
-services via systemd.
+  services via systemd.
 
 - Before using the SSH keys you need to load the keys into the SSH agents, unfortunately
   it's a bit hacky as ssh-add doesn't allow to specify the auth socket via an option, so
@@ -24,19 +24,16 @@
 
   mkdir ~/.ssh/known_hosts.d
 
-  We have a script which needs the known host information from bast2002.wikimedia.org. To initially
-  seed the data, you need to temporarily disable SSH host checking.
+  We have a script which fetches the known host information, simply run
+  "wmf-update-known-hosts-production", it will fetch all host keys via HTTPS from
+  a central data store (https://config-master.wikimedia.org).
 
-  ssh -o StrictHostKeyChecking=ask bast2002.wikimedia.org
-  Compare the presented host fingerprint against
-  https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/bast2002.wikimedia.org. If it matches,
-  then type 'yes'.
-
-  Then the same for restricted.bastion.wmflabs.org
-  https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org
-
-  Then run "wmf-update-known-hosts-production", it will fetch all host keys from bast2002.
   It needs to re-run whenever new hosts are added, either do it manually when you can't log into
   a host or setup a systemd timer (or cron).
 
+  For accessing the bastion for Cloud VPS/Toolforge (restricted.bastion.wmflabs.org),
+  no similar mechanism exists, you need to manually verify it using:
+
+  https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org
+
 You should now be able to login into Cloud VPS and production hosts.