Page MenuHomePhabricator

Request public key change for a research fellow
Closed, ResolvedPublic

Description

Who
Bob West
Wikitech username: west1

Why
Bob West is our research fellow with signed MOU and NDA. He currently has access to analytics machines through his device. He is switching devices and he'd like to create a new public/private key for access (the old one can/should be discarded.)

Steps

  • Bob to append his public ssh key into this phabricator task

Event Timeline

leila created this task.Oct 10 2017, 9:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 10 2017, 9:32 PM
leila added a comment.Oct 10 2017, 9:33 PM

@Cervisiarius what is your wikitech username? Also, can you generate a new public/private key and paste the public key in this task as a comment?

leila moved this task from Staged to In Progress on the Research board.Oct 10 2017, 9:33 PM

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGd7k8tpFmG0m7qe1tD9M7QGQCioHi/kDuSlA8FpSRAsmDWcARisV1/29lpdHUCy4tJ0s3zaEcoGUjy3630El1Ch+dn+NiQSKBcW9fFZ0yhr4uEoOTcamou3L/tpr6ky0hzvX/BNmZTL9ZF2v3PUyb7jAmDs0/1rVSRJ0Egy3+tRR7TttKXdUArGda9/CznW7tQ1BWBIWQ3CeA9Um+uUckF0JFa/IKRdZ5LADrQ/w3wVqcN9WyXza30ITXYKQWkiJPnW+oU/j5r2huY8rTVjaKxTVFf8qVBJXPULUgdgGJqbAkJ34wAW200xij830pTPkh+P/b33/CtUeM+9k9sY0f west@malum

wikitech username: west1

leila removed leila as the assignee of this task.Oct 11 2017, 9:50 PM
leila updated the task description. (Show Details)
leila added a project: Operations.
leila updated the task description. (Show Details)

Change 384598 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] add new ssh key for bob west

https://gerrit.wikimedia.org/r/384598

Change 384598 merged by RobH:
[operations/puppet@production] add new ssh key for bob west

https://gerrit.wikimedia.org/r/384598

RobH assigned this task to Cervisiarius.Oct 16 2017, 8:14 PM
RobH added a subscriber: RobH.

@Cervisiarius: I've left your existing key in place as well for now.

- ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAweYNj2Fsw5NjS+tM3JwvzpAymkw2GNE2NhgI79VuJukffj1XGPGYSJQVxRgIKuLCrmizCc/wYyF2gB+aO3iOmu1pSa84i3Xv141cO8ib5XHGdgPkfb8cvCOg0eD0OEe5esCbNLQrCe/6kzlhWLDkE9UZ++2lKt3j5IN9FEj2qLRv9zVEIBU001ciP/qA0YwIffweVzmX4FpcNF6h8pSKJpx3y+lHwIoD1Hm6d2IH39jPV3k/LmwNLHLjSxlIqXuU1EIeK4Rs+cKOpZatfT4Q8wpiZknvhGxXexhJAwSQ2DM8lONqmFF+AyWZSKahbjN4biBfsjJXLxQFw9yrn3XU2w== west1@madmax4.stanford.edu
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGd7k8tpFmG0m7qe1tD9M7QGQCioHi/kDuSlA8FpSRAsmDWcARisV1/29lpdHUCy4tJ0s3zaEcoGUjy3630El1Ch+dn+NiQSKBcW9fFZ0yhr4uEoOTcamou3L/tpr6ky0hzvX/BNmZTL9ZF2v3PUyb7jAmDs0/1rVSRJ0Egy3+tRR7TttKXdUArGda9/CznW7tQ1BWBIWQ3CeA9Um+uUckF0JFa/IKRdZ5LADrQ/w3wVqcN9WyXza30ITXYKQWkiJPnW+oU/j5r2huY8rTVjaKxTVFf8qVBJXPULUgdgGJqbAkJ34wAW200xij830pTPkh+P/b33/CtUeM+9k9sY0f west@malum

Since it states you are switching devices, please just let me know (via this task) when we can remove the older ssh key. This change is now live. I'm leaving this task open and assigned to you for feedback on when to pull the old key. (If you prefer to keep using two keys, that is also acceptable, just let us know!)

Thanks. I'm trying to log in as I used to from my old machine:
$ ssh west1@stat1005.eqiad.wmnet
but I get the (expected) error
"ssh: Could not resolve hostname stat1005.eqiad.wmnet: nodename nor servname provided, or not known".

Could you please point me to the additional configuration changes I have to make on my laptop to be able to connect to stat1005?

RobH added a comment.Oct 18 2017, 2:12 PM

The details on a working ssh config are listed here: https://wikitech.wikimedia.org/wiki/Production_shell_access#Standard_config

You'll have to setup something like the following:

Host bast1001.wikimedia.org
    # Direct connection for the bastion host
    ProxyCommand none
    ControlMaster auto

Host *.wikimedia.org *.wmnet !gerrit.wikimedia.org !git-ssh.wikimedia.org
    User your_username_here
    # Everything else goes via bastion acting as a proxy
    ProxyCommand ssh -a -W %h:%p bast1001.wikimedia.org
    # Do not offer other identities loaded in ssh-agent
    IdentitiesOnly yes
    IdentityFile ~/.ssh/your_production_ssh_key
RobH added a comment.Oct 18 2017, 8:33 PM

@Cervisiarius: I'm also on clinic duty this week, so you should feel free to ping for assistance via IRC. Sometimes it is easier when someone works with you, rather than just leave you to figure it out solo. Let me know!

Thanks so much, Rob. I followed the instructions, and it worked. You may delete the older key now.

Change 385216 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] remove bob west's old ssh key

https://gerrit.wikimedia.org/r/385216

Change 385216 merged by RobH:
[operations/puppet@production] remove bob west's old ssh key

https://gerrit.wikimedia.org/r/385216

RobH closed this task as Resolved.Oct 19 2017, 5:56 PM
RobH removed Cervisiarius as the assignee of this task.

Older key removed, resolving task!