Page MenuHomePhabricator
Create Task
Maniphest T176418

Production shell access prompting for password
Closed, ResolvedPublic
Actions

Description

I'm trying to connect to analytics-store, which I was able to do earlier in the year though I haven't tried for some time, but am now being prompted for a password. I can SSH to bast1001.wikimedia.org no problem. As far as I recall I don't have a password set, but perhaps I've just forgotten it.

This could also be a similar issue to T163568, or I'm doing something stupid.

I'm running Ubuntu 16.04 (from a VM).

Full SSH log:

ssh -v analytics-store.eqiad.wmnet
OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /home/sam/.ssh/config
debug1: /home/sam/.ssh/config line 6: Applying options for *.wmnet
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Executing proxy command: exec ssh -a -W analytics-store.eqiad.wmnet:22 bast1001.wikimedia.org
debug1: permanently_drop_suid: 1000
debug1: identity file /home/sam/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sam/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to analytics-store.eqiad.wmnet:22 as 'samwalton9'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:IRjsfAecrj40rG9skLwgaYYOHVl7KdPL6am5ELGqido
debug1: Host 'analytics-store.eqiad.wmnet' is known and matches the ECDSA host key.
debug1: Found key in /home/sam/.ssh/known_hosts:3
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/sam/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:

SSH config:

Host bast1001.wikimedia.org
    ProxyCommand none
    ControlMaster auto

Host *.wikimedia.org *.wmnet !gerrit.wikimedia.org !git-ssh.wikimedia.org
    User samwalton9
    ProxyCommand ssh -a -W %h:%p bast1001.wikimedia.org
    IdentitiesOnly yes
    IdentityFile ~/.ssh/id_rsa

Related Objects

Event Timeline

Samwalton9-WMF created this task.Sep 21 2017, 2:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 21 2017, 2:37 PM
Samwalton9-WMF updated the task description. (Show Details)Sep 21 2017, 2:37 PM
Dzahn added subscribers: elukey, Ottomata, Dzahn.Sep 21 2017, 2:47 PM

I'm trying to connect to analytics-store, which I was able to do earlier in the year though I haven't tried for some time

Hi,

analytics-store is an alias for dbstore1002.eqiad.wmnet.

That host does not know a user "samwalton9" and i don't see an indication that it did in the past or there would be any other non-root users on it.

There is also no admin group that seems to match dbstore hosts or anything.

The group membership you do have is called "researchers" and gives access to stat1006 which is a different host unrelated to analytics-store.

The description is " description: Access statistics number crunching hosts (like statistics-users) and also provides access to research mysql credentials on stat1006 (currently the only such host)"

Can you name a timeframe when you think you had access to a dbstore host?

Also adding analytics ops. @elukey @Ottomata to find out what's up.

Samwalton9-WMF closed this task as Resolved.Sep 21 2017, 2:52 PM
Samwalton9-WMF claimed this task.

facepalm

I'd forgotten the connection process and was trying to connect to the wrong place. I can indeed connect to stat1006 no problem. Thanks!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL