Who
Bob West
Wikitech username: west1
Why
Bob West is our research fellow with signed MOU and NDA. He currently has access to analytics machines through his device. He is switching devices and he'd like to create a new public/private key for access (the old one can/should be discarded.)
Steps
| Project | Branch | Lines +/- | Subject | |
|---|---|---|---|---|
| operations/puppet | production | +1 -3 | remove bob west's old ssh key | |
| operations/puppet | production | +3 -1 | add new ssh key for bob west |
@Cervisiarius what is your wikitech username? Also, can you generate a new public/private key and paste the public key in this task as a comment?
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGd7k8tpFmG0m7qe1tD9M7QGQCioHi/kDuSlA8FpSRAsmDWcARisV1/29lpdHUCy4tJ0s3zaEcoGUjy3630El1Ch+dn+NiQSKBcW9fFZ0yhr4uEoOTcamou3L/tpr6ky0hzvX/BNmZTL9ZF2v3PUyb7jAmDs0/1rVSRJ0Egy3+tRR7TttKXdUArGda9/CznW7tQ1BWBIWQ3CeA9Um+uUckF0JFa/IKRdZ5LADrQ/w3wVqcN9WyXza30ITXYKQWkiJPnW+oU/j5r2huY8rTVjaKxTVFf8qVBJXPULUgdgGJqbAkJ34wAW200xij830pTPkh+P/b33/CtUeM+9k9sY0f west@malum
wikitech username: west1
Change 384598 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] add new ssh key for bob west
Change 384598 merged by RobH:
[operations/puppet@production] add new ssh key for bob west
@Cervisiarius: I've left your existing key in place as well for now.
- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAweYNj2Fsw5NjS+tM3JwvzpAymkw2GNE2NhgI79VuJukffj1XGPGYSJQVxRgIKuLCrmizCc/wYyF2gB+aO3iOmu1pSa84i3Xv141cO8ib5XHGdgPkfb8cvCOg0eD0OEe5esCbNLQrCe/6kzlhWLDkE9UZ++2lKt3j5IN9FEj2qLRv9zVEIBU001ciP/qA0YwIffweVzmX4FpcNF6h8pSKJpx3y+lHwIoD1Hm6d2IH39jPV3k/LmwNLHLjSxlIqXuU1EIeK4Rs+cKOpZatfT4Q8wpiZknvhGxXexhJAwSQ2DM8lONqmFF+AyWZSKahbjN4biBfsjJXLxQFw9yrn3XU2w== west1@madmax4.stanford.edu - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGd7k8tpFmG0m7qe1tD9M7QGQCioHi/kDuSlA8FpSRAsmDWcARisV1/29lpdHUCy4tJ0s3zaEcoGUjy3630El1Ch+dn+NiQSKBcW9fFZ0yhr4uEoOTcamou3L/tpr6ky0hzvX/BNmZTL9ZF2v3PUyb7jAmDs0/1rVSRJ0Egy3+tRR7TttKXdUArGda9/CznW7tQ1BWBIWQ3CeA9Um+uUckF0JFa/IKRdZ5LADrQ/w3wVqcN9WyXza30ITXYKQWkiJPnW+oU/j5r2huY8rTVjaKxTVFf8qVBJXPULUgdgGJqbAkJ34wAW200xij830pTPkh+P/b33/CtUeM+9k9sY0f west@malum
Since it states you are switching devices, please just let me know (via this task) when we can remove the older ssh key. This change is now live. I'm leaving this task open and assigned to you for feedback on when to pull the old key. (If you prefer to keep using two keys, that is also acceptable, just let us know!)
Thanks. I'm trying to log in as I used to from my old machine:
$ ssh west1@stat1005.eqiad.wmnet
but I get the (expected) error
"ssh: Could not resolve hostname stat1005.eqiad.wmnet: nodename nor servname provided, or not known".
Could you please point me to the additional configuration changes I have to make on my laptop to be able to connect to stat1005?
The details on a working ssh config are listed here: https://wikitech.wikimedia.org/wiki/Production_shell_access#Standard_config
You'll have to setup something like the following:
Host bast1001.wikimedia.org
# Direct connection for the bastion host
ProxyCommand none
ControlMaster auto
Host *.wikimedia.org *.wmnet !gerrit.wikimedia.org !git-ssh.wikimedia.org
User your_username_here
# Everything else goes via bastion acting as a proxy
ProxyCommand ssh -a -W %h:%p bast1001.wikimedia.org
# Do not offer other identities loaded in ssh-agent
IdentitiesOnly yes
IdentityFile ~/.ssh/your_production_ssh_key@Cervisiarius: I'm also on clinic duty this week, so you should feel free to ping for assistance via IRC. Sometimes it is easier when someone works with you, rather than just leave you to figure it out solo. Let me know!
Thanks so much, Rob. I followed the instructions, and it worked. You may delete the older key now.
Change 385216 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] remove bob west's old ssh key
Change 385216 merged by RobH:
[operations/puppet@production] remove bob west's old ssh key
Hi there,
After years of inactivity, I just wanted to log onto the WMF cluster again (via ssh stat1006.eqiad.wmnet), but encountered the issue that I was asked for a password. So I'm guessing that my key is not considered valid on the WMF side anymore, due to the long time of inactivity.
I checked, and my public key is still the same as listed above:
AAAAB3NzaC1yc2EAAAABIwAAAQEAweYNj2Fsw5NjS+tM3JwvzpAymkw2GNE2NhgI79VuJukffj1XGPGYSJQVxRgIKuLCrmizCc/wYyF2gB+aO3iOmu1pSa84i3Xv141cO8ib5XHGdgPkfb8cvCOg0eD0OEe5esCbNLQrCe/6kzlhWLDkE9UZ++2lKt3j5IN9FEj2qLRv9zVEIBU001ciP/qA0YwIffweVzmX4FpcNF6h8pSKJpx3y+lHwIoD1Hm6d2IH39jPV3k/LmwNLHLjSxlIqXuU1EIeK4Rs+cKOpZatfT4Q8wpiZknvhGxXexhJAwSQ2DM8lONqmFF+AyWZSKahbjN4biBfsjJXLxQFw9yrn3XU2w== west1@madmax4.stanford.edu
And this is my .ssh/config file:
Host *
UseRoaming no
Host *
ServerAliveInterval 60
### Short names
#Host <some host you want your system to auto-complete>
## Use bastion-eqiad.wmflabs.org as proxy to labs
Host bastlabs
HostName bastion-eqiad.wmflabs.org
User west1
Host *.eqiad.wmflabs !bastion-eqiad.wmflabs.org
User west1
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -a -W %h:%p bastlabs
## production
Host bastproduction
HostName bast1003.wikimedia.org
User west1
ForwardAgent no
IdentitiesOnly yes
IdentityFile ~/.ssh/id_rsa
#for accessing mysql locally
LocalForward 8889 analytics1027.eqiad.wmnet:8888
LocalForward 8001 analytics-store.eqiad.wmnet:3306
LocalForward 8002 s1-analytics-slave.eqiad.wmnet:3306
Host *.eqiad.wmnet *.wikimedia.org !bastproduction
User west1
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -W %h:%p bastproduction
ForwardAgent no
IdentitiesOnly yes
Host tools-dev.wmflabs.org
User west1
IdentityFile ~/.ssh/id_rsaCould you please check and let me know how to proceed?
Thanks a lot!
Bob
Hi,
You can find standard SSH config on https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_SSH_config
You exist according to https://github.com/wikimedia/puppet/blob/4a9f4126aa38c16993893ac9e909af51cacee22f/modules/admin/data/data.yaml#L1975
Thanks, this helped! I realized that I was using the wrong SSH key, and now, when using a different one, it works.