Page MenuHomePhabricator

Request public key change for a research fellow
Closed, ResolvedPublic


Bob West
Wikitech username: west1

Bob West is our research fellow with signed MOU and NDA. He currently has access to analytics machines through his device. He is switching devices and he'd like to create a new public/private key for access (the old one can/should be discarded.)


  • Bob to append his public ssh key into this phabricator task

Event Timeline

@Cervisiarius what is your wikitech username? Also, can you generate a new public/private key and paste the public key in this task as a comment?

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGd7k8tpFmG0m7qe1tD9M7QGQCioHi/kDuSlA8FpSRAsmDWcARisV1/29lpdHUCy4tJ0s3zaEcoGUjy3630El1Ch+dn+NiQSKBcW9fFZ0yhr4uEoOTcamou3L/tpr6ky0hzvX/BNmZTL9ZF2v3PUyb7jAmDs0/1rVSRJ0Egy3+tRR7TttKXdUArGda9/CznW7tQ1BWBIWQ3CeA9Um+uUckF0JFa/IKRdZ5LADrQ/w3wVqcN9WyXza30ITXYKQWkiJPnW+oU/j5r2huY8rTVjaKxTVFf8qVBJXPULUgdgGJqbAkJ34wAW200xij830pTPkh+P/b33/CtUeM+9k9sY0f west@malum

wikitech username: west1

leila removed leila as the assignee of this task.Oct 11 2017, 9:50 PM
leila updated the task description. (Show Details)
leila added a project: SRE.
leila updated the task description. (Show Details)

Change 384598 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] add new ssh key for bob west

Change 384598 merged by RobH:
[operations/puppet@production] add new ssh key for bob west

RobH subscribed.

@Cervisiarius: I've left your existing key in place as well for now.

- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAweYNj2Fsw5NjS+tM3JwvzpAymkw2GNE2NhgI79VuJukffj1XGPGYSJQVxRgIKuLCrmizCc/wYyF2gB+aO3iOmu1pSa84i3Xv141cO8ib5XHGdgPkfb8cvCOg0eD0OEe5esCbNLQrCe/6kzlhWLDkE9UZ++2lKt3j5IN9FEj2qLRv9zVEIBU001ciP/qA0YwIffweVzmX4FpcNF6h8pSKJpx3y+lHwIoD1Hm6d2IH39jPV3k/LmwNLHLjSxlIqXuU1EIeK4Rs+cKOpZatfT4Q8wpiZknvhGxXexhJAwSQ2DM8lONqmFF+AyWZSKahbjN4biBfsjJXLxQFw9yrn3XU2w==
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGd7k8tpFmG0m7qe1tD9M7QGQCioHi/kDuSlA8FpSRAsmDWcARisV1/29lpdHUCy4tJ0s3zaEcoGUjy3630El1Ch+dn+NiQSKBcW9fFZ0yhr4uEoOTcamou3L/tpr6ky0hzvX/BNmZTL9ZF2v3PUyb7jAmDs0/1rVSRJ0Egy3+tRR7TttKXdUArGda9/CznW7tQ1BWBIWQ3CeA9Um+uUckF0JFa/IKRdZ5LADrQ/w3wVqcN9WyXza30ITXYKQWkiJPnW+oU/j5r2huY8rTVjaKxTVFf8qVBJXPULUgdgGJqbAkJ34wAW200xij830pTPkh+P/b33/CtUeM+9k9sY0f west@malum

Since it states you are switching devices, please just let me know (via this task) when we can remove the older ssh key. This change is now live. I'm leaving this task open and assigned to you for feedback on when to pull the old key. (If you prefer to keep using two keys, that is also acceptable, just let us know!)

Thanks. I'm trying to log in as I used to from my old machine:
$ ssh west1@stat1005.eqiad.wmnet
but I get the (expected) error
"ssh: Could not resolve hostname stat1005.eqiad.wmnet: nodename nor servname provided, or not known".

Could you please point me to the additional configuration changes I have to make on my laptop to be able to connect to stat1005?

The details on a working ssh config are listed here:

You'll have to setup something like the following:

    # Direct connection for the bastion host
    ProxyCommand none
    ControlMaster auto

Host * *.wmnet ! !
    User your_username_here
    # Everything else goes via bastion acting as a proxy
    ProxyCommand ssh -a -W %h:%p
    # Do not offer other identities loaded in ssh-agent
    IdentitiesOnly yes
    IdentityFile ~/.ssh/your_production_ssh_key

@Cervisiarius: I'm also on clinic duty this week, so you should feel free to ping for assistance via IRC. Sometimes it is easier when someone works with you, rather than just leave you to figure it out solo. Let me know!

Thanks so much, Rob. I followed the instructions, and it worked. You may delete the older key now.

Change 385216 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] remove bob west's old ssh key

Change 385216 merged by RobH:
[operations/puppet@production] remove bob west's old ssh key

RobH removed Cervisiarius as the assignee of this task.

Older key removed, resolving task!

Hi there,

After years of inactivity, I just wanted to log onto the WMF cluster again (via ssh stat1006.eqiad.wmnet), but encountered the issue that I was asked for a password. So I'm guessing that my key is not considered valid on the WMF side anymore, due to the long time of inactivity.
I checked, and my public key is still the same as listed above:


And this is my .ssh/config file:

Host *
    UseRoaming no

Host *
  ServerAliveInterval 60

### Short names
#Host <some host you want your system to auto-complete>

## Use as proxy to labs
Host bastlabs
User west1

Host *.eqiad.wmflabs !
User west1
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -a -W %h:%p bastlabs

## production
Host bastproduction
User west1
ForwardAgent no
IdentitiesOnly yes
IdentityFile ~/.ssh/id_rsa

#for accessing mysql locally
LocalForward 8889 analytics1027.eqiad.wmnet:8888
LocalForward 8001 analytics-store.eqiad.wmnet:3306
LocalForward 8002 s1-analytics-slave.eqiad.wmnet:3306

Host *.eqiad.wmnet * !bastproduction
User west1
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -W %h:%p bastproduction
ForwardAgent no
IdentitiesOnly yes

User west1
IdentityFile ~/.ssh/id_rsa

Could you please check and let me know how to proceed?

Thanks a lot!

Thanks, this helped! I realized that I was using the wrong SSH key, and now, when using a different one, it works.