Page MenuHomePhabricator
Create Task
Maniphest T246390

SSH and Yubikey setup for CDenes
Closed, ResolvedPublic
Actions

Description

Hey @Jgreen and @Dwisehaupt, could you please assist @CDenes_WMF in getting ssh access and setting up her yubikey?

I've forwarded approval from LGruwell separately, over email. And CDenes is in the fundraising contact list.

Thank you!

Setup steps
  • user account
    • account_setup:
      • Add the user to the users.yaml and group_members.yaml files as appropriate.
      • Push out puppet changes.
  • yubikey Requires: useraccount and OIT request to send out yubikey to user
    • physical: Make a request to OIT to have a key sent to the user
    • account_setup: Get public side and add to puppet-private/manifests/passwords/yubico.pp
    • follow_on: Make sure user can use yubikey for ssh access
  • ssh Requires: useraccount and yubikey
    • key_setup: Send template/docs for generating keypair and ~/.ssh/config file
    • account_setup: Get public side and add to puppet-private/secrets/ssh/default/$username
    • follow_on: Verify user can ssh to frdev1001 using correct creds and passphrases when needed.
  • mysql Requires: useraccount, yubikey, ssh
    • account_setup
      • Generate user a random mysql password and hash
      • Create user block in grants
      • Ensure user is in correct blocks for select rights on dbs.
        • Generally use another user in same group as a guide
      • Run the grant script to get the grants.
      • Copy/paste to execute the grants
    • follow_on: Verify user can ssh to frdev1001 and log in to mysql.

Event Timeline

spatton created this task.Feb 27 2020, 9:51 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 27 2020, 9:51 PM
Dwisehaupt claimed this task.Feb 28 2020, 6:46 PM
Dwisehaupt moved this task from Triage to FR-Ops on the Fundraising-Backlog board.

Approval noted in email. Starting the process.

Dwisehaupt moved this task from Triage to Up Next on the fundraising-tech-ops board.Feb 28 2020, 6:46 PM
Dwisehaupt updated the task description. (Show Details)Feb 28 2020, 7:02 PM
Dwisehaupt added a comment.Feb 28 2020, 7:25 PM

Hi @CDenes_WMF,

The two things we need to do at this point are:

  • have you generate an ssh keypair
  • get you a yubikey

Instructions for generating the ssh keypair are here: https://collab.wikimedia.org/wiki/Fundraising_ssh_access

Yubikeys are distributed through OIT. Could you let me know if you already have one, or if there was a request put in for you to get one?

Dallas

Dwisehaupt renamed this task from Yubikey setup for CDenes to SSH and Yubikey setup for CDenes.Feb 28 2020, 7:26 PM
CDenes_WMF added a comment.Mar 2 2020, 7:10 PM

Hi there Dallas!

Happy Monday
I do indeed have a Yubikey; and I will follow the directions for the ssh
keypair. Please let me know how best to proceed.

Thanks!
Camille

Dwisehaupt added a comment.Mar 3 2020, 6:16 PM

Great, since you have a yubikey already, we can just move along. What I need to do now is collect the public keys for your yubikey and for your ssh key.

For the yubikey, there are 2 options:

  1. Visit https://directory.corp.wikimedia.org/yubikey.php logging in with your 'OIT' ldap credentials like you would for email, and clicking on the yubikey in the text box. It will then trim the code for you and provide the public side.
  2. In a text editor, just repeatedly press the button on the yubikey. You will notice there are 12 characters at the beginning of the output that don't change. That is the public side of the key.

For the ssh public key, when you created your keypair, it will have asked you for a file to store it in. That will have created two files, one containing the private side of the key and one containing the public side. What we need is the contents of the public portion of the key which should be in a file ending in .pub like: /Users/you/.ssh/fr_id_rsa.pub

You can just paste in the contents of the 12 characters of the yubikey and the ssh public key straight into this ticket. Don't hesitate to ask if any of this isn't clear.

CDenes_WMF added a comment.Mar 10 2020, 12:27 AM

Hi Dallas!

Yubikey Public ID: cccccckudvcb

ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQCqYzeFwj7RC/Oti0fXiEJyyofoyLUU59XkCVsu3V2RW1wNw9sF5pMM+ElCKqyQ53XrkuWhtwLSTcmzZ67N8VFUbqh2mf/g6z0+xzvKWcas6mkJI+PHtdsUQKYc5R1SvkykZcJ47GEzJWjNJNlKagaFATxW/IH7E0XggrwV2fdn7Ltsh/LVcNo+EzSropnNmq7iLzthy42btJOuAQKt+TlBjJcW1w8+KoLnGMd2JJOaU1kRiEtvSe++Bj9/ZYXWV3x2eReH76Z7qkBjD4RFQzEf4rK77Lj2zyfpagUWzPNQZo8ceP9PIvpGYVkZyjNGTeCdKPJxsYABR3hW83mXE/rEo7wCqirwtoWG2S6osIQPCKF+eAcbCZZvMuVheM7gLVd+zs+DNlZWXAFD++Q+riMjr+PA3zQJWMtdmmu457knfgCjCnJtKcJiOVI9CNOobFKbzS0obyNoKINkMY4+VyH3ynaVSMp6+1XnUma7Y9DNEw6VhZWHuVYZqcQgMHh/eXEBBgklReWlmYRq0ftCEEY1j37uhdqc7xq8KjYAEL+Gl4KxojJuHTEXBZNOzonxP/EKcV47Fm/T7fRdSA/zcMC7jzP7Wz85e22QAF2l10p8yDBjygT6wLbK3JyrIL8OQjPa4v1PUw4Haqj9xYX/xt1spuij4lNH1XWeF+ZMzuxH2w==
“cdenes@wikimedia.org
ssh-keygen -t rsa -b 4096 -C “cdenes@wikimedia.org

Thanks :)

Camille

Dwisehaupt added a comment.Mar 10 2020, 11:13 PM

Initial commits pushed:

[frack::puppet::private] bee2fc1 Adding cdenes as a user (Dallas Wisehaupt:Dallas Wisehaupt)

Adding her yubikey and public ssh key.

Bug: T246390
[frack::puppet] d58175a1 Adding cdenes as a user (Dallas Wisehaupt:Dallas Wisehaupt)
Dwisehaupt updated the task description. (Show Details)Mar 10 2020, 11:17 PM

@spatton @CDenes_WMF I'm looking for a little clarity on what will be needed with this access. IE: will database access be needed of just basic shell access?

Dwisehaupt moved this task from Up Next to In Progress on the fundraising-tech-ops board.Mar 13 2020, 4:35 PM
Dwisehaupt updated the task description. (Show Details)Mar 13 2020, 9:17 PM

From email:

Hey Dallas, yes - SSH + mysql access would be great.

Scripts and mysql access will be needed so adding that in.

Dwisehaupt added a comment.Mar 13 2020, 9:54 PM

configs have been pushed and mysql access granted:

[frack::puppet] d4b143f2 Adding cdenes to the fundraising group
[frack::puppet::private] 1fce902 Add cdenes user and grants
Dwisehaupt updated the task description. (Show Details)Mar 13 2020, 9:56 PM
Dwisehaupt updated the task description. (Show Details)
Dwisehaupt changed the task status from Open to Stalled.Apr 7 2020, 7:03 PM
Dwisehaupt moved this task from In Progress to Stalled on the fundraising-tech-ops board.
Dwisehaupt moved this task from Stalled to Blocked on the fundraising-tech-ops board.Jul 9 2020, 2:18 PM
Jgreen added a comment.Sep 14 2020, 3:11 PM

I worked with this a bit with Camille today via chat. There's something I didn't get to completely figure out going on re. her user/homedir.

ls ~/.ssh/

-rw-r--r-- 1 aalikhan staff 201 Sep 14 16:39 known_hosts

pwd

/Users/cdenes

So there appears to be a history of two different local users on her laptop? At any rate there are no keys or config for the user she's working with now. She's going to redo the SSH steps here https://collab.wikimedia.org/wiki/Fundraising_ssh_access and ping us when she has time to work on it again.

Dwisehaupt changed the task status from Stalled to Open.Oct 7 2020, 11:07 PM
Dwisehaupt moved this task from Blocked to In Progress on the fundraising-tech-ops board.
CDenes_WMF added a comment.Oct 14 2020, 10:50 AM

SSH contents :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNKr8Botq1sI2hP0BBFA002L1qbcGgcMIkzNjvk23Hkd0unIfEdkANXwTVM6Dng/Qk7sM9729iV+atNlKbGhnv5b3thahduWhKPFI4i9bfrrKC3NQ6TVn3AW3w1PL9tE4h1TBn7469u6Vt1dN5BtXAsoVB/qv2/LY5rYkRAEzZIRN0627XmZ74OGOSMunXSznuC6PEsnEuG+2tEGjeylDZt38klLkSYPBAC0N/DxpaMW1pz6dbMyQwtPHS/Yzs5VMy8GTYs5ra1Prhv4sl7yyUlKUtneM7hqzAMV4e+AVLxfLAt2lVD/+pg8iB4lo+wZDsIJ4GmhP5aPOCeOAkC8xQ5wqXgvKVnTFzqBCqC2Ik7CfTQQLx2BhWjSoqmZcowm7b3mB4d/R3xbb5PC/Q46QRG32kcWIcBlVP5iszHg8mJKXTiWCjEZTog3OWFHpGq2Gda0C4CANag9ztnD5TA2Aoj9xfpe7s/ROn64yB1AoXtxA7d8sI/ObIue2HdNV591EzB9/QqtIQQzVvLbLMdEjjmyXNK3VAZ47R5YgqwuqOJUyT6cQHxLje2Q9mlnRMxM4959F5zpcc9CBoZRwCtWqf2N7skn3U3OarEBqjDoeiiIMQeHzWDzO3d1NwKFc0r/f4Mi+UyMnsRDVx828uqE4hNx+gp6qeCwbzX/XTeso0dw== cdenes@wikimedia.org

CDenes_WMF added a comment.Oct 14 2020, 10:52 AM

Yubikey ID: Cccccckudvcb

Dwisehaupt added a comment.Oct 14 2020, 3:51 PM

Repo updated with new keys and pushed via puppet. All clear for testing.

Dwisehaupt closed this task as Resolved.Oct 26 2020, 6:43 PM
Dwisehaupt updated the task description. (Show Details)
Dwisehaupt moved this task from In Progress to Done on the fundraising-tech-ops board.

Got verification today the an ssh connection was successful and a report was pulled via mysql. Closing.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL