gerrit.wikimedia.org
Gitiles
Code ReviewSign In
gerrit.wikimedia.org / operations / debs / wmf-sre-laptop / 221df3d340ef11b19db310775bb19e037fa87294 / . / docs / wmf-laptop-sre / SETUP.ssh
blob: 66c4f2dd1a11710d70aab7478eb172c4f27dcb9a [file] [log] [blame]
Moritz Mühlenhoff14759462020-04-07 12:02:30 +0200[diff] [blame]
1
2
This describes the setup using disk-based key store:
3
4
5
- Create two separate SSH keys for "production" and "cloud":
6
7
ssh-keygen -t ed25519
8
9
and store them in two separate files (e.g. ~/.ssh/id_wmf_prod and ~/.ssh/id_wmf_cloud)
10
Giuseppe Lavagetto612c9422020-11-08 08:55:22 +0100[diff] [blame]
11
- Run update-ssh-config. It will patch your ssh config file, and start the two SSH agent
12
services via systemd.
Moritz Mühlenhoff14759462020-04-07 12:02:30 +0200[diff] [blame]
13
14
- Before using the SSH keys you need to load the keys into the SSH agents, unfortunately
Ahmon Dancy49637352020-07-01 11:36:23 -0700[diff] [blame]
15
it's a bit hacky as ssh-add doesn't allow to specify the auth socket via an option, so
Moritz Mühlenhoff14759462020-04-07 12:02:30 +0200[diff] [blame]
16
best to add a small script which does:
17
18
export SSH_AUTH_SOCK​=​/run/​user​/​1000​/​ssh​-​wmf​-​prod​.​socket
19
ssh-add .ssh/id_wmf_prod
20
export SSH_AUTH_SOCK​=​/run/​user​/​1000​/​ssh​-​wmf​-​cloud​.​socket
21
ssh-add .ssh/id_wmf_cloud
22
23
- Finally we need to populate the known hosts file. First create the following directory:
24
25
mkdir ~/.ssh/known_hosts.d
26
27
We have a script which needs the known host information from bast2002.wikimedia.org. To initially
Stephen Shirley628ef5b2020-04-14 16:14:44 +0200[diff] [blame]
28
seed the data, you need to temporarily disable SSH host checking.
Moritz Mühlenhoff14759462020-04-07 12:02:30 +0200[diff] [blame]
29
Stephen Shirley628ef5b2020-04-14 16:14:44 +0200[diff] [blame]
30
ssh -o StrictHostKeyChecking=ask bast2002.wikimedia.org
31
Compare the presented host fingerprint against
32
https​:​//wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/bast2002.wikimedia.org. If it matches,
33
then type 'yes'.
Moritz Mühlenhoff14759462020-04-07 12:02:30 +0200[diff] [blame]
34
35
Then the same for restricted​.​bastion​.​wmflabs​.​org
36
https​:​//wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org
37
Moritz Mühlenhoff14759462020-04-07 12:02:30 +0200[diff] [blame]
38
Then run "wmf-update-known-hosts-production"​, it will fetch all host keys from bast2002.
39
It needs to re-run whenever new hosts are added, either do it manually when you can't log into
40
a host or setup a systemd timer (or cron).
41
42
You should now be able to login into Cloud VPS and production hosts.
Powered by Gitiles
txt
json