Page MenuHomePhabricator
Create Task
Maniphest T267292

dcaro has same ssh key in wmcs and prod, prod ssh key revoked
Closed, ResolvedPublic
Actions

Description

@dcaro,

Please review the L3 document you signed for WMF production cluster access, you cannot use the WMF production key anywhere else, not even WMCS.

As such, your production SSH key has been immediately revoked.

Please comment on this task with a new public key for use in WMF production.

Do not use this key anywhere else but WMF production. As your production key is granting you access to the 'ops' group and global root, this is vitally important to NOT use your WMF production key anywhere else, ever.

Details

SubjectRepoBranchLines +/-
admin: update dcaro ssh keyoperations/puppetproduction+2 -1
revoke dcaro prod ssh keyoperations/puppetproduction+1 -2
Customize query in gerrit

Related Objects

Event Timeline

RobH triaged this task as High priority.Nov 5 2020, 4:54 AM
RobH created this task.
Restricted Application added a project: SRE. · View Herald TranscriptNov 5 2020, 4:54 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
RobH added a comment.EditedNov 5 2020, 4:55 AM

@dcaro was just granted global root as a member of the ops group via T267040, and then this cross-validate script ran this evening and caught this duplicate key issue.

@dcaro: Please update this task via comment with your new, dedicated to WMF production only, ssh public key. If you do this before the end of day Friday (2020-11-06), assign this back to me. If you update after that date, you need to assign to whoever is listed on: https://wikitech.wikimedia.org/wiki/SRE_Clinic_Duty#Schedule

gerritbot added a comment.Nov 5 2020, 4:56 AM

Change 639410 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] revoke dcaro prod ssh key

https://gerrit.wikimedia.org/r/639410

gerritbot added a project: Patch-For-Review.Nov 5 2020, 4:56 AM

Change 639410 merged by RobH:
[operations/puppet@production] revoke dcaro prod ssh key

https://gerrit.wikimedia.org/r/639410

RobH updated the task description. (Show Details)Nov 5 2020, 4:58 AM
RobH renamed this task from dcaro has same ssh key in wmcs and prod, prod access revoked to dcaro has same ssh key in wmcs and prod, prod ssh key revoked.Nov 5 2020, 5:01 AM
RobH moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.
RobH removed a project: Patch-For-Review.
RobH updated the task description. (Show Details)
dcaro reassigned this task from dcaro to RobH.Nov 5 2020, 8:03 AM

Here is a new one:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID46/gY7mfN96ylAdQb6ZBfrq9L3QwemMtN5ZjrJgEmK dcaro@magnum

Would it be possible to know where/when did I use it? (I'd like to avoid using it the wrong way again)

Thanks!

MoritzMuehlenhoff subscribed.Nov 5 2020, 8:11 AM
In T267292#6605218, @dcaro wrote:

Here is a new one:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID46/gY7mfN96ylAdQb6ZBfrq9L3QwemMtN5ZjrJgEmK dcaro@magnum

Would it be possible to know where/when did I use it? (I'd like to avoid using it the wrong way again)

There's two different keys: This one will be added to the all servers in production (anything ending in .wmnet or .wikimedia.org), the other key is the one you add in your Preferences at wikitech.wikimedia.org under "OpenStack -> Public SSH keys:". As long as those are distinct keys, everything is fine.

In case you're using Debian, Ubuntu or some other kind of deb-based distro you can also install https://wikitech.wikimedia.org/wiki/Wmf-sre-laptop, which should help at lot in getting your setup sorted out.

gerritbot added a comment.Nov 5 2020, 2:15 PM

Change 639532 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] admin: update dcaro ssh key

https://gerrit.wikimedia.org/r/639532

gerritbot added a project: Patch-For-Review.Nov 5 2020, 2:15 PM
gerritbot added a comment.Nov 5 2020, 2:19 PM

Change 639532 merged by Jbond:
[operations/puppet@production] admin: update dcaro ssh key

https://gerrit.wikimedia.org/r/639532

Maintenance_bot removed a project: Patch-For-Review.Nov 5 2020, 3:10 PM
RobH closed this task as Resolved.Nov 5 2020, 3:27 PM
In T267292#6606098, @gerritbot wrote:

Change 639532 merged by Jbond:
[operations/puppet@production] admin: update dcaro ssh key

https://gerrit.wikimedia.org/r/639532

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL