| |
| This describes the setup using disk-based key store: |
| |
| |
| - Create two separate SSH keys for "production" and "cloud": |
| |
| ssh-keygen -t ed25519 |
| |
| and store them in two separate files (e.g. ~/.ssh/id_wmf_prod and ~/.ssh/id_wmf_cloud) |
| |
| - Run update-ssh-config. It will patch your ssh config file, and start the two SSH agent |
| services via systemd. |
| |
| - Before using the SSH keys you need to load the keys into the SSH agents, unfortunately |
| it's a bit hacky as ssh-add doesn't allow to specify the auth socket via an option, so |
| best to add a small script which does: |
| |
| export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-prod.socket |
| ssh-add .ssh/id_wmf_prod |
| export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-cloud.socket |
| ssh-add .ssh/id_wmf_cloud |
| |
| - Finally we need to populate the known hosts file. First create the following directory: |
| |
| mkdir ~/.ssh/known_hosts.d |
| |
| We have a script which fetches the known host information, simply run |
| "wmf-update-known-hosts-production", it will fetch all host keys via HTTPS from |
| a central data store (https://config-master.wikimedia.org). |
| |
| It needs to re-run whenever new hosts are added, either do it manually when you can't log into |
| a host or setup a systemd timer (or cron). |
| |
| For accessing the bastion for Cloud VPS/Toolforge (restricted.bastion.wmflabs.org), |
| no similar mechanism exists, you need to manually verify it using: |
| |
| https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org |
| |
| You should now be able to login into Cloud VPS and production hosts. |