blob: 479473cd8541faa00d51c5b1665ac09a7bb1cbda [file] [log] [blame]
This describes the setup using disk-based key store:
- Create two separate SSH keys for "production" and "cloud":
ssh-keygen -t ed25519
and store them in two separate files (e.g. ~/.ssh/id_wmf_prod and ~/.ssh/id_wmf_cloud)
- Run update-ssh-config. It will patch your ssh config file, and start the two SSH agent
services via systemd.
- Before using the SSH keys you need to load the keys into the SSH agents, unfortunately
it's a bit hacky as ssh-add doesn't allow to specify the auth socket via an option, so
best to add a small script which does:
export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-prod.socket
ssh-add .ssh/id_wmf_prod
export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-cloud.socket
ssh-add .ssh/id_wmf_cloud
- Finally we need to populate the known hosts file. First create the following directory:
mkdir ~/.ssh/known_hosts.d
We have a script which fetches the known host information, simply run
"wmf-update-known-hosts-production", it will fetch all host keys via HTTPS from
a central data store (https://config-master.wikimedia.org).
It needs to re-run whenever new hosts are added, either do it manually when you can't log into
a host or setup a systemd timer (or cron).
For accessing the bastion for Cloud VPS/Toolforge (restricted.bastion.wmflabs.org),
no similar mechanism exists, you need to manually verify it using:
https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org
You should now be able to login into Cloud VPS and production hosts.