Skip to content

Commit

Permalink
Add ssh keys management guide
Browse files Browse the repository at this point in the history
  • Loading branch information
@jpraynaud
jpraynaud committed Aug 10, 2023
1 parent c62b61b commit d166b86
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 1 deletion.
3 changes: 2 additions & 1 deletion docs/runbook/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

This page gathers the available guides to operate a Mithril network.

:warning: This guides are intended to be used by expert users, and could lead to irreversible damages or loss for a network.
:fire: This guides are intended to be used by expert users, and could lead to irreversible damages or loss for a network.

# Guides

Expand All @@ -14,5 +14,6 @@ This page gathers the available guides to operate a Mithril network.
| **Update protocol parameters** | [protocol-parameters](./protocol-parameters/README.md) | Update the protocol parameters of a Mithril network.
| **Recompute certificates hash** | [recompute-certificates-hash](./recompute-certificates-hash/README.md) | Recompute the certificates has of an aggregator.
| **Fix terraform lock** | [terraform-lock](./terraform-lock/README.md) | Fix a terraform lock in CD workflows.
| **Manage SSH access to infrastructure** | [ssh-access](./ssh-access/README.md) | Manage SSH access on the VM of the infrastructure for a user.


51 changes: 51 additions & 0 deletions docs/runbook/ssh-access/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Manage SSH access to infrastructure

## Add access to a user

### Create a SSH keypair for a user (if needed)

Create a new SSH keypair, with `ed25519` cryptography for maximum security:
```bash
ssh-keygen -t ed25519 -C "[email protected]"
```

Then, add your keypair to the ssh-agent:
```bash
ssh-add ~/.ssh/id_ed25519
```

### Retrieve the public key of your SSH keypair

Run the following command to retrieve your public key:
```bash
cat ~/.ssh/id_ed25519.pub
```

### Declare the public key

Add a line with the format `**REMOTE_USER**:*PUBLIC_KEY**` in the `mithril-infra/assets/ssh_keys` file for each:
```bash
echo "curry:ssh-ed25519 AAAE53AC3NzQ2vlZDI1aC1O4CpX+S2y1X9NTB4rv4k3pAAAAIF3b7L9sPV5ZiGgogmko [email protected]" >> **REPOSITORY_PATH**/mithril-infra/assets/ssh_keys
```

Then, create a PR with the updated `ssh_keys` file.

## Remove access to a user

To remove an access, simply remove the line(s) related to this user.

Then, create a PR with the updated `ssh_keys` file.

## When are the modifications applied?

The modifications will be applied the next time the terraform deployment is done:
- next **merge** in `main` branch for `testing-preview`
- next **pre-release** created for `pre-release-preview`
- next **release** created for `release-preprod`
- next **release** created for `release-mainnet`

When the modifications are applied, the VM is updated in place by terraform.

:warning: In case of emergency, the SSH keys can be modified by an administrator:
- In GCP [**Compute Engine**](https://console.cloud.google.com/compute/instances)
- The SSH keys can be edited in the targeted VM(s)

0 comments on commit d166b86

Please sign in to comment.