pgehres hasn't worked here for years. anyway, adding this to SRE-Access-Requests and shifting the fundraising project from subscribers to tags

Hi @jkim_wikimedia

We will need a few things to follow-up with your access request. Could you please:

• add a short justification (just a few words) what the access is needed for
• add your manager to this ticket and have them approve the request
• create a SSH keypair and paste the public key here
• read L3 and sign it

Thank you and best regards,

Daniel

In T206478#4650162, @Krenair wrote:

pgehres hasn't worked here for years

He left a database, named in his honour . :)

Hi @Dzahn

Thanks for helping with this!

• Access is needed for me to track stats for fundraising emails
• @CaitVirtue could you approve?
• Could you advise on how to create a SSH keypair...
• L3 signed

Thanks!

In T206478#4652223, @jkim_wikimedia wrote:

• Could you advise on how to create a SSH keypair...

take a look at man ssh-keygen - you should end up with something like ssh-keygen -t ed25519 -C "jkim@wikimedia.org frack"

Approved

I'm relaying an email from Lisa:

Lisa Gruwell
Thu, Oct 11, 6:13 PM (14 hours ago)
to Jerry, Caitlin, me

Yes, approved.

On Thu, Oct 11, 2018 at 11:27 AM Jerry Kim <jkim@wikimedia.org> wrote:
Hey Lisa,

Could I get your approval for access to the Frdev1000 server and mysql? I'll be using this to track stats for MG&E emails so we can keep a better record of email performance.

Thank you!

Jerry Kim

Hi @jkim_wikimedia

there is one more thing, besides the SSH key, that we will need.

Please go to Wikitech wiki and create a user there:

https://wikitech.wikimedia.org/w/index.php?title=Special:CreateAccount&returnto=Main+Page

And once done let us know which user name you picked for the "UNIX shell username" (or just the email you used to register).

Thanks!

@Jgreen @cwdent Could you advise how access requests for FRACK are usually handled from here? Do you also match UID from an LDAP user? Is it going to need a puppet change (in which repo?) Would you handle them directly or should they be like any other prod access request and handled by ops on duty?

Hi @Dzahn ! My user name is 'jkim'. Still working on the SSH key...

Hi @jkim_wikimedia - sorry for the confusion, I'll be making this account for you. Do you have a yubikey?

Hi @cwdent - I do!

Hey @cwdent , could you help me with the SSH key? I have my yubikey handy. Thx!

@jkim_wikimedia these are the basic instructions for making an ssh key: https://wikitech.wikimedia.org/wiki/Production_shell_access#Generating_your_SSH_key

Once that is done you can paste the public key (ending with .pub) on this task along with the output of the yubikey and we can get you set up!

Hey @cwdent, here's the public key: /Users/jkim/.ssh/id_rsa.pub

What is the output of the yubikey? -_-

@jkim_wikimedia If you plug it into your laptop and touch the button it will spit out some text. The first 12 characters are your key's ID and the rest is a one-time-use password.

@cwdent ccccccgdrdri

@jkim_wikimedia thanks! As far as the public key I need the actual contents of the file which you can see by typing:

cat /Users/jkim/.ssh/id_rsa.pub

It will be a large block of text.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ItHLDwXZYoK8b3LEff1bM6UydLGFXMCprg+LVLkwDR4fQFSEMNMLAsdNoXnGmr6ZNC/CnCOxRcbYpk+AEpx1gx4U0ZQfsvhPzyaLL1P809MxFgF89QPVFvoB2ZlkGjVm1t2JIY57lDFzTvzwiWHHtvtkFU6BCITnBV0NWk8/7LnEC6dD4WBoe26zaOmQf5m0/znMq+B+7T7IE0RLk08vkUn17nXUn5x2r98paT1iuYv7DRyOFHBf9Y4naOKO4AYWp79VI/V98Nugeahw7FnUR3yd/11FAXAY8PR7sf4zytjLeVz/IQpzoLuHzCpDkCFSH5Cxw5jbUBqGIHeE//AC0wmS3M89M4RXFLEQkjz69L0Dd/uZhHDrePBgvUh0FeqM+iD54m2BF0uPYhXupNsmtGAixrZdMaFWmDcL3BA9Oby+tAiehOgftefg5OWArbWhtUKkHRWh+upTSJCMFVgNQTnDDWT+SPk8PNE61Cy9wrp8hi40BNKXd1rli0PEtZl+gX82e8ZNbU3SD0bsPVavMZUHQr/IdMD1r7dw83M9tYEN5dfDw2fjcb6mJzuA6lOzeTlE2ZB2rABHLlNNOmqJ0YOnHvD1JQggCJtNLS2FNRMd6QPp7hjRZT/nn/FhUwI5utwvotQDjdQif+VkNAY/SZqWVFbmG4Q6QTWvmCDZ2w== jkim@wikimedia.org

@jkim_wikimedia thanks, I now have enough info to make the accounts and will find time in the next day or two.

@jkim_wikimedia ok, you are all set up with a shell account on frdev1001 and mysql access.

In order to log in you will need to set up your ssh config: https://wikitech.wikimedia.org/wiki/Fundraising/tech/ssh_config

Then you can type

ssh frdev1001

to log in and

mysql

to access the database.

Thank you @cwdent !!

Hey @cwdent, am i doing something wrong here?

@jkim_wikimedia it looks like the file isn't there. I am not personally knowledgeable about Apple computers but I have edited the instructions to add the commands that would work in Linux, hopefully they are the same:

https://wikitech.wikimedia.org/wiki/Fundraising/tech/ssh_config

Let me know if that does it!

I'm removing SRE-Access-Requests here, as this request applies to frtech.

@jkim_wikimedia any luck?

If it's easier to walk through via hangouts, let me know. Sorry :(

@jkim_wikimedia No worries, screenshots like this are helpful and we can use them to make better docs for the next time. So you made a new file called "config" inside that new directory called .ssh. That's all good. But then it looks like contents of that file are also the commands that you typed to do this. I'm not sure how that happened, but what you want is copy/paste the part that starts after "The file should look more or less like this" into the text editor and then save it.

Start at "Host frbast.wikimedia.org" and copy the 2 host blocks into your new config file and then save. By the way, you can use any other text editor for this as well, you don't have to use TextEdit.

Thanks @Dzahn ! Does this look good?

In T206478#4717005, @jkim_wikimedia wrote:

Thanks @Dzahn ! Does this look good?

Almost! Just need to adjust the two spots that say "your_username_here" to "jkim" and you should be good to go.

Done!

In T206478#4717037, @jkim_wikimedia wrote:

Done!

Now you should be able to "ssh frdev1001" from a terminal on your Mac or whatever. Your SSH client will connect through a
bastion server (frbast) to the reporting server (frdev1001).

The first time you connect:

1. You'll be asked to authorize frbast's host key, enter 'yes' when asked.

The authenticity of host 'frbast (208.80.155.8)' can't be
established. ECDSA key fingerprint is SHA256:KFDL0dZ/YAKzQRw4oqVBPGELoLaNHBc3yyotcJ6rywM.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

2. Then you'll be prompted for a password, press your Yubikey here.

3. Next you're asked to authorize frdev1001's host key, again enter 'yes'.

The authenticity of host 'frdev1001 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:TXnPkkzSigtrVId7gisg2vd51vhSUArrkpAlntJlzps.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

Finally you get a prompt indicating successful connection: (your username)@frdev1001:~$

After you verify a host's key, your client should never ask again for that host. If it does something is wrong, the connection can't be trusted, and you need to stop and check in with Fundraising Tech. You will be prompted
for the Yubikey password every time you connect, however.

Also, as a reminder it is imperative that you contact Fundraising Tech ASAP if either your laptop or Yubikey is lost, stolen, or otherwise compromised so we can prevent unauthorized access.

@jkim_wikimedia any luck logging in?