docs/SETUP.ssh

This describes the setup using disk-based key store:


- Create two separate SSH keys for "production" and "cloud":

  ssh-keygen -t ed25519

  and store them in two separate files (e.g. ~/.ssh/id_wmf_prod and ~/.ssh/id_wmf_cloud)

- cp /usr/share/wmf-sre-laptop/ssh-client-config to ~/.ssh/config

- Replace PRODUCTION_KEY and CLOUD_KEY with the names of the public SSH key identities
  and USERNAME with your Wikimedia Developer shell username

- Enable the systemd user units which start separate SSH agents for the two keys
  (as your user, no sudo needed. This is a one time change)

  systemctl --user start ssh-wmf-cloud.service
  systemctl --user start ssh-wmf-prod.service

- Before using the SSH keys you need to load the keys into the SSH agents, unfortunately
  it's a bit hacky as ssh-add doesn't allow to specify the auth socket via an option, so
  best to add a small script which does:

  export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-prod.socket
  ssh-add .ssh/id_wmf_prod
  export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-cloud.socket
  ssh-add .ssh/id_wmf_cloud

- Finally we need to populate the known hosts file. First create the following directory:

  mkdir ~/.ssh/known_hosts.d

  We have a script which needs the known host information from bast2002.wikimedia.org. To initially
  seed the data, you need to temporarily disable SSH host checking.

  ssh -o StrictHostKeyChecking=ask bast2002.wikimedia.org
  Compare the presented host fingerprint against
  https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/bast2002.wikimedia.org. If it matches,
  then type 'yes'.

  Then the same for restricted.bastion.wmflabs.org
  https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org

  Then run "wmf-update-known-hosts-production", it will fetch all host keys from bast2002.
  It needs to re-run whenever new hosts are added, either do it manually when you can't log into
  a host or setup a systemd timer (or cron).

You should now be able to login into Cloud VPS and production hosts.