Moritz Mühlenhoff | 1475946 | 2020-04-07 12:02:30 +0200 | [diff] [blame] | 1 | |
| 2 | This describes the setup using disk-based key store: |
| 3 | |
| 4 | |
| 5 | - Create two separate SSH keys for "production" and "cloud": |
| 6 | |
| 7 | ssh-keygen -t ed25519 |
| 8 | |
| 9 | and store them in two separate files (e.g. ~/.ssh/id_wmf_prod and ~/.ssh/id_wmf_cloud) |
| 10 | |
| 11 | - cp /usr/share/wmf-sre-laptop/ssh-client-config to ~/.ssh/config |
| 12 | |
| 13 | - Replace PRODUCTION_KEY and CLOUD_KEY with the names of the public SSH key identities |
| 14 | and USERNAME with your Wikimedia Developer shell username |
| 15 | |
| 16 | - Enable the systemd user units which start separate SSH agents for the two keys |
| 17 | (as your user, no sudo needed. This is a one time change) |
| 18 | |
| 19 | systemctl --user start ssh-wmf-cloud.service |
| 20 | systemctl --user start ssh-wmf-prod.service |
| 21 | |
| 22 | - Before using the SSH keys you need to load the keys into the SSH agents, unfortunately |
Ahmon Dancy | 4963735 | 2020-07-01 11:36:23 -0700 | [diff] [blame^] | 23 | it's a bit hacky as ssh-add doesn't allow to specify the auth socket via an option, so |
Moritz Mühlenhoff | 1475946 | 2020-04-07 12:02:30 +0200 | [diff] [blame] | 24 | best to add a small script which does: |
| 25 | |
| 26 | export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-prod.socket |
| 27 | ssh-add .ssh/id_wmf_prod |
| 28 | export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-cloud.socket |
| 29 | ssh-add .ssh/id_wmf_cloud |
| 30 | |
| 31 | - Finally we need to populate the known hosts file. First create the following directory: |
| 32 | |
| 33 | mkdir ~/.ssh/known_hosts.d |
| 34 | |
| 35 | We have a script which needs the known host information from bast2002.wikimedia.org. To initially |
Stephen Shirley | 628ef5b | 2020-04-14 16:14:44 +0200 | [diff] [blame] | 36 | seed the data, you need to temporarily disable SSH host checking. |
Moritz Mühlenhoff | 1475946 | 2020-04-07 12:02:30 +0200 | [diff] [blame] | 37 | |
Stephen Shirley | 628ef5b | 2020-04-14 16:14:44 +0200 | [diff] [blame] | 38 | ssh -o StrictHostKeyChecking=ask bast2002.wikimedia.org |
| 39 | Compare the presented host fingerprint against |
| 40 | https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/bast2002.wikimedia.org. If it matches, |
| 41 | then type 'yes'. |
Moritz Mühlenhoff | 1475946 | 2020-04-07 12:02:30 +0200 | [diff] [blame] | 42 | |
| 43 | Then the same for restricted.bastion.wmflabs.org |
| 44 | https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org |
| 45 | |
Moritz Mühlenhoff | 1475946 | 2020-04-07 12:02:30 +0200 | [diff] [blame] | 46 | Then run "wmf-update-known-hosts-production", it will fetch all host keys from bast2002. |
| 47 | It needs to re-run whenever new hosts are added, either do it manually when you can't log into |
| 48 | a host or setup a systemd timer (or cron). |
| 49 | |
| 50 | You should now be able to login into Cloud VPS and production hosts. |