From b8cef15cf690f2e3cb69c747c4a30f8e4d3b767b Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sun, 1 Aug 2021 13:56:04 +0300
Subject: change SSH keys

To keep things simple, have only one user SSH key instead of two.
Previously, we had one for logging into puomi@puomienv, and another
for puomi@puomienv to log into the other VMs. Now we have only one.
This makes it easier to manage keys, at the cost of duplicating the
key in env/ssh/ed25518 and env/playbook.yml.

Sponsored-by: author
---
 env/files/id_ed25519     |  7 -------
 env/files/id_ed25519.pub |  1 -
 env/playbook.yml         | 26 ++++++++++++++++++++++----
 env/setup.sh             |  5 +++--
 env/ssh/config           |  4 ++++
 puomi.md                 |  2 ++
 puomi.py                 |  5 +++--
 7 files changed, 34 insertions(+), 16 deletions(-)
 delete mode 100644 env/files/id_ed25519
 delete mode 100644 env/files/id_ed25519.pub

diff --git a/env/files/id_ed25519 b/env/files/id_ed25519
deleted file mode 100644
index 14601ed..0000000
--- a/env/files/id_ed25519
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACDcXZoUfCmGIMyBZzKWWbQlgZBbZ+Tr4EVBdy1UoRcaOAAAAJALYqDEC2Kg
-xAAAAAtzc2gtZWQyNTUxOQAAACDcXZoUfCmGIMyBZzKWWbQlgZBbZ+Tr4EVBdy1UoRcaOA
-AAAEB485JINzvdLZ/6EFMlmF6+aX4OF6G61N9yXtXASc7PY9xdmhR8KYYgzIFnMpZZtCWB
-kFtn5OvgRUF3LVShFxo4AAAADGxpd0BleG9sb2JlMQE=
------END OPENSSH PRIVATE KEY-----
diff --git a/env/files/id_ed25519.pub b/env/files/id_ed25519.pub
deleted file mode 100644
index 6ad43c2..0000000
--- a/env/files/id_ed25519.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxdmhR8KYYgzIFnMpZZtCWBkFtn5OvgRUF3LVShFxo4 liw@exolobe1
diff --git a/env/playbook.yml b/env/playbook.yml
index 7f34432..f5cfa53 100644
--- a/env/playbook.yml
+++ b/env/playbook.yml
@@ -110,19 +110,20 @@
         owner: puomi
         group: puomi
         mode: 0700
-    - name: "copy SSH private key"
+    - name: "copy user SSH private key"
       copy:
-        src: id_ed25519
+        content: "{{ user_ssh_private_key }}"
         dest: /home/puomi/.ssh/id_ed25519
         owner: puomi
         group: puomi
         mode: 0600
-    - name: "copy SSH public key"
+    - name: "copy user SSH public key"
       copy:
-        src: id_ed25519.pub
+        content: "{{ user_ssh_public_key }}"
         dest: /home/puomi/.ssh/id_ed25519.pub
         owner: puomi
         group: puomi
+        mode: 0600
     - name: "copy SSH CA private key"
       copy:
         src: ca
@@ -213,3 +214,20 @@
         GSJSdir7NkZidgwoCPA7BTqsb5LN
         =dXB0
         -----END PGP PUBLIC KEY BLOCK-----
+
+    # Note that this private key MUST be the same as env/ssh/ed25519
+    # in the source tree.
+    user_ssh_private_key: |
+        -----BEGIN OPENSSH PRIVATE KEY-----
+        b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+        QyNTUxOQAAACAOISqMoDpFzbozFuNHdhfd5SDG8rtGcF0gUNkte0emvAAAAJAf032rH9N9
+        qwAAAAtzc2gtZWQyNTUxOQAAACAOISqMoDpFzbozFuNHdhfd5SDG8rtGcF0gUNkte0emvA
+        AAAECYIVFEDbQDeAv6UVxwrbW5D55Z6OFI2YxjXho4SvOdiA4hKoygOkXNujMW40d2F93l
+        IMbyu0ZwXSBQ2S17R6a8AAAADGxpd0BleG9sb2JlMQE=
+        -----END OPENSSH PRIVATE KEY-----
+
+
+   # This public key MUST correspond to the one that is in
+   # user_ssh_private_key.
+    user_ssh_public_key: |
+        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4hKoygOkXNujMW40d2F93lIMbyu0ZwXSBQ2S17R6a8
diff --git a/env/setup.sh b/env/setup.sh
index 7071d6b..cf8e704 100755
--- a/env/setup.sh
+++ b/env/setup.sh
@@ -24,7 +24,8 @@ echo "Create and provision the inner VMs"
 ssh -F ssh/config puomi@puomienv ./setup-inner.sh
 
 # Disable network forwarding in outer VM. This can't be done until the
-# inner VMs are provisioned, or they can't install anything.
-ssh debian@puomienv sudo sysctl -w net.ipv4.ip_forward=0
+# inner VMs are provisioned, or they can't install anything. Hide the
+# standard output, as it's useless.
+ssh debian@puomienv sudo sysctl -w net.ipv4.ip_forward=0 > /dev/null
 
 echo "Finished; the router test environment is ready for use"
diff --git a/env/ssh/config b/env/ssh/config
index 69e34f3..b98bc42 100644
--- a/env/ssh/config
+++ b/env/ssh/config
@@ -1,3 +1,7 @@
+Host puomi
+    ProxyJump puomi@puomienv
+    User debian
+
 Host *
     ForwardAgent no
     ControlMaster no
diff --git a/puomi.md b/puomi.md
index f710792..e383372 100644
--- a/puomi.md
+++ b/puomi.md
@@ -95,4 +95,6 @@ them from the test environment.
 given a router testing environment
 when I run ssh -F .ssh/config -v puomi@puomienv hostname
 then stdout is exactly "puomienv\n"
+when I run ssh -F .ssh/config -v puomi hostname
+then stdout is exactly "puomi\n"
 ~~~
diff --git a/puomi.py b/puomi.py
index 921ff27..9760bb0 100644
--- a/puomi.py
+++ b/puomi.py
@@ -7,9 +7,10 @@ def env_setup(ctx):
     logging.info("setting up test directory for router testing")
 
     srcdir = globals()["srcdir"]
+
+    # Copy env/ssh/ from source dir, which has SSH config and keys.
     ssh = os.path.join(srcdir, "env", "ssh")
     dst = os.path.join(os.getcwd(), ".ssh")
-
     logging.debug(f"copy {ssh} to {dst}")
     shutil.copytree(ssh, dst)
 
@@ -19,6 +20,6 @@ def env_setup(ctx):
     os.symlink(".ssh", "ssh")
 
     # Set permissions on the key files, so that the SSH client isn't upset if
-    # they're lax.
+    # they're lax. Git doesn't preserve the permissions correctly.
     os.chmod(".ssh/ed25519", 0o600)
     os.chmod(".ssh/ed25519.pub", 0o600)
-- 
cgit v1.2.1