SSH Key Pair for Web User

[MikeiLL]

• [x ] I've read the guidelines for Contributing to Roots Projects
• [ x] This request isn't a duplicate of an existing request
• [ x] This is not a personal support request that should be posted on the Roots Discourse community

Summary

Would it make sense to have a task that generates a key pair for the web user?

Motivation

On a new migration, I'm frequently using rsync to transfer shared content like the uploads directory. This requires me to have an ssh key pair on the new Trellis server.

- name: Generate an OpenSSH keypair with the default values (4096 bits, rsa)
  community.crypto.openssh_keypair:
    path: /home/web/.ssh/id_rsa
  tags: [webkeypair]

That's obviously an ignorant approach, but I'm not even sure if the idea makes sense.

Additional context

[swalkinshaw]

I guess you also need a keypair on the existing server? I should probably know this... but does the admin user have one by default? Just wondering if using admin would be easier than the web user.

My first thought isn't really to build this into Trellis because:

• migrations like this might not be that common
• or they might be done in other ways
• migrations are manual anyway, so at the point when you want to do one, you can just create a key manually

I also wonder if using SSH forwarding or tunnelling to rsync between the two remove servers from your local machine: https://unix.stackexchange.com/questions/183504/how-to-rsync-files-between-two-remotes

If something like that ^ works, maybe we could build a command into trellis-cli to help?

[MikeiLL]

I also wonder if using SSH forwarding or tunnelling to rsync between the two remove servers from your local machine: https://unix.stackexchange.com/questions/183504/how-to-rsync-files-between-two-remotes

Yes. That looks great. Will use it now.

If something like that ^ works, maybe we could build a command into trellis-cli to help?

That would be very cool! I haven't written anything in Go yet but would certainly help with Docs if that would be useful.

[MikeiLL]

By the way, there isn't an ssh key pair generated for admin either.

I think that with using ssh forwarding this way as you recommend above, all of the data will be moving through the local machine. Is that correct? For people with sketchy DSL like what's available here, that might not be a good solution.

[swalkinshaw]

I think that's true of the tunnelling solution. Forwarding is a direct connection though and skips the local machine afaik.

[MikeiLL]

I think that's true of the tunneling solution. Forwarding is a direct connection though and skips the local machine afaik.

I like the sound of it. Poked it making the command work locally but lost patience and just sshed into the server manually.

This is the commend I was running:

ssh -R localhost:50000:oldproduction:22 newproduction 'rsync -e "ssh -p 50000" -vuar /srv/www/example.com/shared/uploads localhost:/srv/www/example.com/shared/uploads'

Error is

Warning: remote port forwarding failed for listen port 50000
ssh: connect to host localhost port 50000: Connection refused
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(235) [sender=3.1.3]

I don't think it would matter, but am faking DNS on the local/dev box. May have to do with 50000 being outside of the ephemeral port range, but I'm having trouble figuring out what the range is.

[raph-topo]

Hello!

No need to tunnel through your local machine for that.

To talk between remote hosts, you can use SSH Agent Forwarding, as such:

$ ssh -o ForwardAgent=yes admin@host1 "ssh admin@host2"

or, for Rsync, e.g.:

$ ssh -o ForwardAgent=yes admin@host1 "rsync --archive --new-compress --rsh='ssh -o StrictHostKeyChecking=no' --progress admin@host2:/uploads/on/host2/ /uploads/on/host1/"

This requires that your own SSH is of course in the authorized_keys of both hosts and added to the agent on your local machine.

The same works for web@ out of the box, since the docs currently recommend using your personal public keys and Trellis' role users adds them to all remotes' authorized_keys.

[swalkinshaw]

I posted some ideas an on existing trellis-cli issue: roots/trellis-cli#109

[swalkinshaw]

Closing this since this feature won't be added in Trellis itself. If anyone has anything to contribute, see roots/trellis-cli#109