gerrit.wikimedia.org
Gitiles
Code ReviewSign In
gerrit.wikimedia.org / operations / debs / wmf-sre-laptop / 6da3349397359b932da662d45f3698f4cf0a41e5 / . / docs / wmf-laptop-sre / SETUP.ssh
blob: 479473cd8541faa00d51c5b1665ac09a7bb1cbda [file] [log] [blame]
This describes the setup using disk-based key store:
- Create two separate SSH keys for "production" and "cloud":
ssh-keygen -t ed25519
and store them in two separate files (e.g. ~/.ssh/id_wmf_prod and ~/.ssh/id_wmf_cloud)
- Run update-ssh-config. It will patch your ssh config file, and start the two SSH agent
services via systemd.
- Before using the SSH keys you need to load the keys into the SSH agents, unfortunately
it's a bit hacky as ssh-add doesn't allow to specify the auth socket via an option, so
best to add a small script which does:
export SSH_AUTH_SOCK​=​/run/​user​/​1000​/​ssh​-​wmf​-​prod​.​socket
ssh-add .ssh/id_wmf_prod
export SSH_AUTH_SOCK​=​/run/​user​/​1000​/​ssh​-​wmf​-​cloud​.​socket
ssh-add .ssh/id_wmf_cloud
- Finally we need to populate the known hosts file. First create the following directory:
mkdir ~/.ssh/known_hosts.d
We have a script which fetches the known host information, simply run
"wmf-update-known-hosts-production"​, it will fetch all host keys via HTTPS from
a central data store (​https​:​//config-master.wikimedia.org).
It needs to re-run whenever new hosts are added, either do it manually when you can't log into
a host or setup a systemd timer (or cron).
For accessing the bastion for Cloud VPS/Toolforge (restricted.bastion.wmflabs.org),
no similar mechanism exists, you need to manually verify it using:
https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org
You should now be able to login into Cloud VPS and production hosts.
Powered by Gitiles
txt
json