Page MenuHomePhabricator

setup YubiHSM and laptop at office
Closed, ResolvedPublic

Description

Get a laptop from OIT (already requested in ZenDesk ticket #9727),
install Debian on it,
put the YubiHSM into it that was obtained in T122120
keep it in a safe place at office, share access with other local ops

Related Objects

StatusAssignedTask
ResolvedMoritzMuehlenhoff

Event Timeline

Dzahn created this task.Jan 16 2016, 12:46 AM
Dzahn raised the priority of this task from to Needs Triage.
Dzahn updated the task description. (Show Details)
Dzahn added a subscriber: Dzahn.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptJan 16 2016, 12:46 AM
Dzahn claimed this task.Jan 16 2016, 12:47 AM
Dzahn added a project: Operations.
Dzahn set Security to None.
Dzahn added a subtask: Unknown Object (Task).

@JKrauska any update on zendesk ticket #9727 ? or could you add me to CC of that one please?

Dzahn triaged this task as High priority.Jan 22 2016, 8:29 PM

added you as a cc -- we can provide a older laptop this week.

Can we keep the laptop locked up in the IT den?

This means it will only be able to be accessed during normal office hours, but also means that there's less chance of it being stolen.

Dzahn added a comment.Jan 25 2016, 5:23 PM

Can we keep the laptop locked up in the IT den?
This means it will only be able to be accessed during normal office hours, but also means that there's less chance of it being stolen.

Yes please, that is what i wanted to ask for as well for the same reason.

Dzahn added a comment.Jan 25 2016, 9:11 PM

I received a Thinkpad T420, WMF 389, from OIT (thanks!) and i'll install jessie on it next.

Dzahn added a comment.Feb 2 2016, 11:36 PM

I installed jessie on it. The hostname is eiximenis.corp.wikimedia.org : )

I wiped the disk with dd if=/dev/zero (one pass) before the install and disabled a couple things in BIOS,
like the fingerprint sensor that was enabled (also deleted fingerprint data), disabled flashing BIOS over LAN, disabled virtualization support, disabled other boot devices, disabled bluetooth .. and more

I think we should give you a SSD -- we have a few..

I would not want critical stuff running on a spinning drive -- and that drive is OLD.

Game?

RobH added a subscriber: RobH.EditedFeb 3 2016, 12:14 AM

A spinning disk can be securely wiped, where SSDs aren't really securely wiped in most instances. (Trim support is varied and not regularly applied across differing ssd vendors/models.)

I'm not sure a hdd is a bad thing in this regard; Unless we know the SSD can be securely wiped (doubtful), or if OIT/WMF is accepting that any issue with the laptop will mean the removal of the SSD by Operations for disposal/transfer rather than return to OIT.

Joel is correct that a newer SSD has a higher reliability than the older hdd.

i have given the laptop back to OIT today to keep it in their room behind the metal door for us and give ops members access when we need it

i put some sticky tape on it and wrote "eiximenis.corp.wm.org Operations Team T123818".

i'll continue to work on it while at office

i need to update the pwstore with access info

yubihsm hardware plugged in and detected

installed the yhsm-tools package which provides

yhsm-keystore-unlock -- keystore unlock
yhsm-linux-add-entropy -- entropy seeder
yhsm-decrypt-aead -- decrypt AEADs
yhsm-generate-keys -- generate new AEADs

there is also the yhsm-validation-server and more but i did not install these (yet)

this also provided:

python-pyhsm (see https://github.com/Yubico/python-pyhsm/)

the example tool "yhsm-sysinfo.py" works and shows the device has a "power-up count" of 768.

Dzahn added a subscriber: Muehlenhoff.EditedFeb 20 2016, 12:46 AM

@Muehlenhoff I've been thinking you should probably ask OIT for VPN access (https://office.wikimedia.org/wiki/VPN_Setup) so that you can get into the office network and ssh to this laptop. makes sense?

or, alternative suggestion from ori .. https://ngrok.com/

Dzahn lowered the priority of this task from High to Normal.Mar 31 2016, 1:08 AM
Dzahn added a comment.Apr 18 2016, 6:59 PM

@Muehlenhoff let's talk about when we consider this one to be resolved. Technically the laptop and YubiHSM is there but i think you could not connect to it yet, right?

Dzahn reassigned this task from Dzahn to Muehlenhoff.Jun 10 2016, 5:14 AM
RobH closed subtask Unknown Object (Task) as Resolved.Jul 11 2016, 5:29 PM

As discussed, I'll prepare the script and we'll do the actual setup/some tests at the offsite. Assigning to Daniel as a reminder to bring that laptop with him :-)

Dzahn added a comment.Sep 22 2016, 6:48 PM

picked up from office. i also received 5 yubikeys from OIT (4 x yubikey4 and 1 x yubikey4nano) (zendesk Ticket #11781)

Dzahn added a comment.Oct 11 2016, 6:26 PM

we worked with it during the offsite. Moritz added a script to write the first 5 test keys and then we did. now some more testing is going to happen, and meanwhile my task here is to bring the laptop back to office.

Dzahn added a comment.Oct 30 2016, 4:05 AM

brought the laptop back to office in SF, on Thursday after metrics meeting, handed over to OIT

Dzahn removed Dzahn as the assignee of this task.Nov 8 2016, 2:21 AM

@bbogaert

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I can confirm that Riccard (volans) should have
access to the Yubikey laptop referenced in Phab Ticket T123818,
Zen Desk #9727.

- -- Daniel Zahn (dzahn@wikimedia.org)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsEmxgCEuQqevtNQzN+m1xvX2oGcFAliHta4ACgkQN+m1xvX2
oGfK8hAA591pXB1u+LcoIRCikfJNelQxkGD27P9hQNsdTdsqUOVninYBskNGdMv4
W1WyJUI1H1PxFRABvjdgC4rhNqLuPPHlaE3BSkeAsPXuV3469c6L4xsRLaiyMI+Z
ErqQuZyOH+E3nRCJkESVmmea/w5IcTRuyX6DW3jo+eW9l0jDkkqZZo/qe7MwHtKf
6q8inyNsxF/rOPXg/RyJ0ku5MIP9GxhjUkT5P8NCYj+BHJSEjnotNlvuwPPqHhvE
ere3+VvIfC+Pjjnk5Q8E3SOda82db4206AZMWP+/JtgZR0H3XVK7j2RegAm9CXO4
AbDS25FF3J9e+BUDvkVxjoM4XWGlkyf/QaY6GdRt06FZru9YWGoyJvwEsEULQl5W
mrl5ORwQ66aQvxwQjBIZTRrgY2n5GpkRtuyQ7KFabXUCr1oHkfe2ILxmhLXhzLOI
+BndxM6plvO+uyBInhTNUusvunXD4RgKKGhSVsOU6leKQ7nXfRc4W5caO387pJsA
/WugYiLWJ7f2bYZcstjfCP0Zyrbr6G16Qokg/x/smA/HiJNSviFdi77XxMJ/FtwS
njGRXCleooFkKpYyalgYNr19AwRheRWUtVF26YUulnUkjuJ0bE+GAP0guSXS5j0S
27nSQUaFHhyhmuqYjha4lCnZZgiqfFqAAUFF+KqaE5A9xJPuUNU=
=nLpu
-----END PGP SIGNATURE-----

to verify:

gpg --verify confirm-volans.sig

@Dzahn Ricard has the laptop.

byronicle:~ bbogaert$ gpg --verify confirm-volans.sig
gpg: Signature made Tue Jan 24 12:14:38 2017 PST using RSA key ID F5F6A067
gpg: Good signature from "Daniel Zahn (WMF) <dzahn@wikimedia.org>" [full]

What's left to do in this task?

MoritzMuehlenhoff closed this task as Resolved.Mar 15 2018, 4:46 PM
MoritzMuehlenhoff claimed this task.

Long done, can be closed.