Page MenuHomePhabricator

requesting additional production ssh key for jmorgan
Closed, ResolvedPublic

Description

I just got a new WMF laptop. I'd like to add a new production ssh key for this laptop. Please retain my existing public key (P5328), which is still in use on my other machine.

I've pasted my new public key here: P7377

Event Timeline

You can make your own gerrit changeset for this ;)

herron triaged this task as Medium priority.
herron added a subscriber: herron.

Hey @Capt_Swing, I can help you out with this. Prepping the patch now.

Change 447446 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] admin: add ssh key for jmorgan's new laptop

https://gerrit.wikimedia.org/r/447446

Thanks @herron! And @Reedy: that might be technically true, but I'm a long way from proficient in basic software development practice ;) But thanks to your nudge I've asked @bmansurov to give me a tour of Gerrit this week, so maybe next time I can roll my own!

Change 447446 merged by Herron:
[operations/puppet@production] admin: add ssh key for jmorgan's new laptop

https://gerrit.wikimedia.org/r/447446

@Capt_Swing your new ssh key has been added and I watched it deploy successfully to bast1002. Just give this change another 30 minutes to finish propagating across the fleet, and let me know if you run into any issues after that. Thanks!

@Capt_Swing You're now using the same SSH key in WMCS as you do in the production network. This is a security risk since WMCS allows SSH agent forwarding and a malicious privileged user in WMCS can connect to our forwarded agent socket and connect to production on your behalf.

Please create a separate SSH key for production access and update and paste it here or remove the jtmorgan@Ephiliates key ending in "EDsw==" from the list of keys allowed to log into WMCS (you can configure that via https://wikitech.wikimedia.org/wiki/Special:Preferences in the OpenStack tab).

@RhinosF1 I think so? I mean, I don't use the same keys in Labs and production, and I have access to both servers. So I'm going to assume everything is fine ;) - J

This comment was removed by RhinosF1.