Please replace Shannon Baileys SSH key
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Sbailey
	Sep 29 2020, 8:00 PM

Description

Hi,

I humbly request that:

My current production SSH key(s) are removed; and
The following SSH key is added

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH7N+9wSCC9MdjE0ZNA4qp09RLcDarwNYQgcZakDS44t sbailey@wikimedia.org

Details

	Subject	Repo	Branch	Lines +/-
	admin: change sbailey ssh key	operations/puppet	production	+1 -1
	admin: update user sbailey ssh key	operations/puppet	production	+1 -1

Customize query in gerrit

Event Timeline

Sbailey created this task.Sep 29 2020, 8:00 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 29 2020, 8:00 PM

MarcoAurelio added a project: SRE-Access-Requests.Sep 30 2020, 11:31 AM

herron triaged this task as Medium priority.Sep 30 2020, 5:21 PM

Change 631259 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] admin: change sbailey ssh key

https://gerrit.wikimedia.org/r/631259

gerritbot added a project: Patch-For-Review.Sep 30 2020, 7:11 PM

Hi @Sbailey as a security precaution, could you please use your existing shell access to upload the desired new ssh key onto one of the bastions (let's say bast1002) as a file in your home directory called sbailey_new_ssh_key? Once done and confirmed we'll be ready to move forward with the above patch. Thanks in advance!

Ya, tried to do this, but do not have access. I might need to refresh my id_rsa.pub key as well. Not sure how this whole house of cards hangs together:

wmf1287:.ssh shannonbailey$ scp wikimedia_prod.pub sbailey@bast1002.eqiad.wmnet:sbailey_new_ssh_key
Password:
Password:
Password:
sbailey@bast2002.wikimedia.org: Permission denied (publickey,keyboard-interactive).
ssh_exchange_identification: Connection closed by remote host
lost connection

Is there another host in production where you have working access? Placing a file there would work too, just let me know where to check. Otherwise we can figure out another method. Thanks!

@Sbailey Note the right way to connect to bast1002 is ssh bast1002.wikimedia.org. That seems to be the reason why it failed for you. Everyone with any kind of prod SSH access has access to bast1002 AFAIK :).

I cannot access bast1002 using ssh bast1002.wikimedia.org
Keeps asking for Password: which I do not have.

In T264127#6510431, @Sbailey wrote:

I cannot access bast1002 using ssh bast1002.wikimedia.org
Keeps asking for Password: which I do not have.

I recommend to check your ssh config - it probably misses the IdentityFile directive you have for *.wmnet. Or, ssh -i /path/to/your/current/private/key bast1002.wikimedia.org should do the job.

Ok, there must be some other way to verify security. My previous SSH key is gone, I need a new one installed so I can log in to scandium somehow.

Hi @Sbailey I've reached out to you via google chat and by email to verify. Thanks!

Change 632254 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] admin: update user sbailey ssh key

https://gerrit.wikimedia.org/r/632254

New key has been confirmed via google chat and email

Change 632254 merged by Herron:
[operations/puppet@production] admin: update user sbailey ssh key

https://gerrit.wikimedia.org/r/632254

Hi @Sbailey, the updated SSH key has been deployed to servers by now. Please re-open if any follow-up is needed. Thanks!

Thank you. I tested in and can now access scandium as needed.

Change 631259 abandoned by Herron:
[operations/puppet@production] admin: change sbailey ssh key

Reason:
handled in different patch

https://gerrit.wikimedia.org/r/631259

Please replace Shannon Baileys SSH keyClosed, ResolvedPublicActions

Description

Details

Event Timeline

Please replace Shannon Baileys SSH key
Closed, ResolvedPublic
Actions