Moritz Mühlenhoff | 1475946 | 2020-04-07 12:02:30 +0200 | [diff] [blame] | 1 | |
| 2 | This describes the setup using disk-based key store: |
| 3 | |
| 4 | |
| 5 | - Create two separate SSH keys for "production" and "cloud": |
| 6 | |
| 7 | ssh-keygen -t ed25519 |
| 8 | |
| 9 | and store them in two separate files (e.g. ~/.ssh/id_wmf_prod and ~/.ssh/id_wmf_cloud) |
| 10 | |
Giuseppe Lavagetto | 612c942 | 2020-11-08 08:55:22 +0100 | [diff] [blame^] | 11 | - Run update-ssh-config. It will patch your ssh config file, and start the two SSH agent |
| 12 | services via systemd. |
Moritz Mühlenhoff | 1475946 | 2020-04-07 12:02:30 +0200 | [diff] [blame] | 13 | |
| 14 | - Before using the SSH keys you need to load the keys into the SSH agents, unfortunately |
Ahmon Dancy | 4963735 | 2020-07-01 11:36:23 -0700 | [diff] [blame] | 15 | it's a bit hacky as ssh-add doesn't allow to specify the auth socket via an option, so |
Moritz Mühlenhoff | 1475946 | 2020-04-07 12:02:30 +0200 | [diff] [blame] | 16 | best to add a small script which does: |
| 17 | |
| 18 | export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-prod.socket |
| 19 | ssh-add .ssh/id_wmf_prod |
| 20 | export SSH_AUTH_SOCK=/run/user/1000/ssh-wmf-cloud.socket |
| 21 | ssh-add .ssh/id_wmf_cloud |
| 22 | |
| 23 | - Finally we need to populate the known hosts file. First create the following directory: |
| 24 | |
| 25 | mkdir ~/.ssh/known_hosts.d |
| 26 | |
| 27 | We have a script which needs the known host information from bast2002.wikimedia.org. To initially |
Stephen Shirley | 628ef5b | 2020-04-14 16:14:44 +0200 | [diff] [blame] | 28 | seed the data, you need to temporarily disable SSH host checking. |
Moritz Mühlenhoff | 1475946 | 2020-04-07 12:02:30 +0200 | [diff] [blame] | 29 | |
Stephen Shirley | 628ef5b | 2020-04-14 16:14:44 +0200 | [diff] [blame] | 30 | ssh -o StrictHostKeyChecking=ask bast2002.wikimedia.org |
| 31 | Compare the presented host fingerprint against |
| 32 | https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/bast2002.wikimedia.org. If it matches, |
| 33 | then type 'yes'. |
Moritz Mühlenhoff | 1475946 | 2020-04-07 12:02:30 +0200 | [diff] [blame] | 34 | |
| 35 | Then the same for restricted.bastion.wmflabs.org |
| 36 | https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/restricted.bastion.wmflabs.org |
| 37 | |
Moritz Mühlenhoff | 1475946 | 2020-04-07 12:02:30 +0200 | [diff] [blame] | 38 | Then run "wmf-update-known-hosts-production", it will fetch all host keys from bast2002. |
| 39 | It needs to re-run whenever new hosts are added, either do it manually when you can't log into |
| 40 | a host or setup a systemd timer (or cron). |
| 41 | |
| 42 | You should now be able to login into Cloud VPS and production hosts. |