Get a laptop from OIT (already requested in ZenDesk ticket #9727),
install Debian on it,
put the YubiHSM into it that was obtained in T122120
keep it in a safe place at office, share access with other local ops
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | MoritzMuehlenhoff | T123818 setup YubiHSM and laptop at office | |||
| Unknown Object (Task) | |||||
| Unknown Object (Task) |
Event Timeline
Comment Actions
@JKrauska any update on zendesk ticket #9727 ? or could you add me to CC of that one please?
Comment Actions
Can we keep the laptop locked up in the IT den?
This means it will only be able to be accessed during normal office hours, but also means that there's less chance of it being stolen.
Comment Actions
I received a Thinkpad T420, WMF 389, from OIT (thanks!) and i'll install jessie on it next.
Comment Actions
I installed jessie on it. The hostname is eiximenis.corp.wikimedia.org : )
I wiped the disk with dd if=/dev/zero (one pass) before the install and disabled a couple things in BIOS,
like the fingerprint sensor that was enabled (also deleted fingerprint data), disabled flashing BIOS over LAN, disabled virtualization support, disabled other boot devices, disabled bluetooth .. and more
Comment Actions
I think we should give you a SSD -- we have a few..
I would not want critical stuff running on a spinning drive -- and that drive is OLD.
Game?
Comment Actions
A spinning disk can be securely wiped, where SSDs aren't really securely wiped in most instances. (Trim support is varied and not regularly applied across differing ssd vendors/models.)
I'm not sure a hdd is a bad thing in this regard; Unless we know the SSD can be securely wiped (doubtful), or if OIT/WMF is accepting that any issue with the laptop will mean the removal of the SSD by Operations for disposal/transfer rather than return to OIT.
Joel is correct that a newer SSD has a higher reliability than the older hdd.
Comment Actions
i have given the laptop back to OIT today to keep it in their room behind the metal door for us and give ops members access when we need it
i put some sticky tape on it and wrote "eiximenis.corp.wm.org Operations Team T123818".
i'll continue to work on it while at office
i need to update the pwstore with access info
Comment Actions
yubihsm hardware plugged in and detected
installed the yhsm-tools package which provides
yhsm-keystore-unlock -- keystore unlock
yhsm-linux-add-entropy -- entropy seeder
yhsm-decrypt-aead -- decrypt AEADs
yhsm-generate-keys -- generate new AEADs
there is also the yhsm-validation-server and more but i did not install these (yet)
Comment Actions
this also provided:
python-pyhsm (see https://github.com/Yubico/python-pyhsm/)
the example tool "yhsm-sysinfo.py" works and shows the device has a "power-up count" of 768.
Comment Actions
@Muehlenhoff I've been thinking you should probably ask OIT for VPN access (https://office.wikimedia.org/wiki/VPN_Setup) so that you can get into the office network and ssh to this laptop. makes sense?
or, alternative suggestion from ori .. https://ngrok.com/
Comment Actions
@Muehlenhoff let's talk about when we consider this one to be resolved. Technically the laptop and YubiHSM is there but i think you could not connect to it yet, right?
Comment Actions
As discussed, I'll prepare the script and we'll do the actual setup/some tests at the offsite. Assigning to Daniel as a reminder to bring that laptop with him :-)
Comment Actions
picked up from office. i also received 5 yubikeys from OIT (4 x yubikey4 and 1 x yubikey4nano) (zendesk Ticket #11781)
Comment Actions
we worked with it during the offsite. Moritz added a script to write the first 5 test keys and then we did. now some more testing is going to happen, and meanwhile my task here is to bring the laptop back to office.
Comment Actions
brought the laptop back to office in SF, on Thursday after metrics meeting, handed over to OIT
Comment Actions
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I can confirm that Riccard (volans) should have access to the Yubikey laptop referenced in Phab Ticket T123818, Zen Desk #9727. - -- Daniel Zahn (dzahn@wikimedia.org) -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsEmxgCEuQqevtNQzN+m1xvX2oGcFAliHta4ACgkQN+m1xvX2 oGfK8hAA591pXB1u+LcoIRCikfJNelQxkGD27P9hQNsdTdsqUOVninYBskNGdMv4 W1WyJUI1H1PxFRABvjdgC4rhNqLuPPHlaE3BSkeAsPXuV3469c6L4xsRLaiyMI+Z ErqQuZyOH+E3nRCJkESVmmea/w5IcTRuyX6DW3jo+eW9l0jDkkqZZo/qe7MwHtKf 6q8inyNsxF/rOPXg/RyJ0ku5MIP9GxhjUkT5P8NCYj+BHJSEjnotNlvuwPPqHhvE ere3+VvIfC+Pjjnk5Q8E3SOda82db4206AZMWP+/JtgZR0H3XVK7j2RegAm9CXO4 AbDS25FF3J9e+BUDvkVxjoM4XWGlkyf/QaY6GdRt06FZru9YWGoyJvwEsEULQl5W mrl5ORwQ66aQvxwQjBIZTRrgY2n5GpkRtuyQ7KFabXUCr1oHkfe2ILxmhLXhzLOI +BndxM6plvO+uyBInhTNUusvunXD4RgKKGhSVsOU6leKQ7nXfRc4W5caO387pJsA /WugYiLWJ7f2bYZcstjfCP0Zyrbr6G16Qokg/x/smA/HiJNSviFdi77XxMJ/FtwS njGRXCleooFkKpYyalgYNr19AwRheRWUtVF26YUulnUkjuJ0bE+GAP0guSXS5j0S 27nSQUaFHhyhmuqYjha4lCnZZgiqfFqAAUFF+KqaE5A9xJPuUNU= =nLpu -----END PGP SIGNATURE-----
to verify:
gpg --verify confirm-volans.sig
Comment Actions
@Dzahn Ricard has the laptop.
byronicle:~ bbogaert$ gpg --verify confirm-volans.sig gpg: Signature made Tue Jan 24 12:14:38 2017 PST using RSA key ID F5F6A067 gpg: Good signature from "Daniel Zahn (WMF) <dzahn@wikimedia.org>" [full]