Page MenuHomePhabricator
Create Task
Maniphest T121302

sshing to bastion.wmflabs.org fails with "Connection closed by 208.80.155.129"
Closed, ResolvedPublic
Actions

Description

<Glaisher> ssh to bastion.wmflabs.org seems to be failing
<Glaisher> Connection closed by 208.80.155.129
<Glaisher> tools-login is working fine
<Krenair> Coren, ^
<Krenair> YuviPanda, ^
<Glaisher> https://phabricator.wikimedia.org/P2417
<Krenair> Glaisher, I sent Coren a message
<Glaisher> Krenair: Thanks.
<Glaisher> I just tried sshing on my windows pc as well but it's failing there as well
<Krenair> yeah it doesn't work for me either
<Krenair> definitely something up on the server side

{P2417}

Event Timeline

Glaisher created this task.Dec 12 2015, 5:43 AM
Glaisher raised the priority of this task from to High.
Glaisher updated the task description. (Show Details)
Glaisher added a project: Cloud-Services.
Glaisher added subscribers: Glaisher, coren, yuvipanda.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 12 2015, 5:43 AM
EBernhardson subscribed.Dec 12 2015, 6:50 AM

Doesn't seem isolated to Glaisher, i just noticed same problem

zhuyifei1999 subscribed.Dec 12 2015, 6:51 AM
yuvipanda added a comment.Dec 12 2015, 9:26 AM

There was an extra pair of parens in the PAM config for some reason causing this problem. I've hand-hacked this away for now, and disabled puppet. Should restore bastion access.

fgiunchedi subscribed.Dec 12 2015, 10:03 AM

"fixed" also bastion-restricted-01:

root@bastion-restricted-01:~# cat /etc/security/access.conf
-:ALL EXCEPT (ops) root:ALL
root@bastion-restricted-01:~# puppet agent --disable 'see https://phabricator.wikimedia.org/T121302'
coren closed this task as Resolved.Dec 12 2015, 12:51 PM
coren claimed this task.

The puppet variable restricted_to was used inconsistently between projects; it was set to the group name everywhere but in project bastion where the parents for the group name were added explicitly on wikitech.

(e.g.: toolsbeta has a host that has restricted_to=toolsbeta.admin whereas bastion had restricted_to=(ops) or restricted_to=(project-bastion)) This didn't change anything when the access.conf were hand-constructed in puppet, but of course that caused an issue when it is constructed by the class instead.

I've edited the bastion variables to not have the extraneous parens (and checked that bastion was the only project with them) in LDAP, and reenabled puppet. The generated access.conf is correct.

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:45 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL