Page MenuHomePhabricator
Create Task
Maniphest T299336

NRodriguez uses the same SSH key(s) in WMCS and production
Closed, ResolvedPublic
Actions

Description

Our cross-validation script discovered that user @NRodriguez is using the same key in cloud and production.

This is a violation of the L3 server access agreement. As such, this task is tracking the revocation of production access UNTIL a stand alone key can be provided by user @NRodriguez for use on the production cluster.

Natalia: You will need to generate a new keypair dedicated ONLY to use on WMF production cluster and no where else. Once that is done, you can comment on this task with it and either myself (or whoever is on clinic duty if next week) will process and add this back.

Details

SubjectRepoBranchLines +/-
NRodriguez: add new production ssh keyoperations/puppetproduction+2 -1
admin: revoke natalia-rodriguez keyoperations/puppetproduction+1 -2
Customize query in gerrit

Event Timeline

Jelto created this task.Jan 17 2022, 11:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 17 2022, 11:15 AM
gerritbot added a comment.Jan 17 2022, 11:16 AM

Change 754472 had a related patch set uploaded (by Jelto; author: Jelto):

[operations/puppet@production] admin: revoke natalia-rodriguez key

https://gerrit.wikimedia.org/r/754472

gerritbot added a project: Patch-For-Review.Jan 17 2022, 11:16 AM
gerritbot added a comment.Jan 17 2022, 11:48 AM

Change 754472 merged by Jelto:

[operations/puppet@production] admin: revoke natalia-rodriguez key

https://gerrit.wikimedia.org/r/754472

Jelto added a comment.Jan 17 2022, 11:50 AM

@NRodriguez I've merged the revocation of the SSH key used on the production cluster. This was due to it also being used in WMCS, and thus compromised as a WMF production key. We require a dedicated wmf production ssh key, not used anywhere else, for your access.

Your access is currently suspended until this is resolved. Please generate a new ssh keypair, and update this task with the public key via comment and then assign back in this task.

Maintenance_bot removed a project: Patch-For-Review.Jan 17 2022, 12:10 PM
Jelto assigned this task to NRodriguez.Jan 18 2022, 12:12 PM
Jelto triaged this task as Medium priority.
Volans moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.Jan 24 2022, 9:44 AM
NRodriguez added a comment.Jan 25 2022, 10:56 PM

Big apologies for the hiccup, I've generated a new key:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINSGlZdKKkUD0ra0jpnABXYQXRLowZe/q3fm49cDVGkM nrodriguez@wikimedia.org

NRodriguez reassigned this task from NRodriguez to Jelto.Jan 25 2022, 10:57 PM
jhathaway claimed this task.Jan 26 2022, 3:36 PM
gerritbot added a comment.Jan 26 2022, 5:31 PM

Change 757488 had a related patch set uploaded (by JHathaway; author: JHathaway):

[operations/puppet@production] NRodriguez: add new production ssh key

https://gerrit.wikimedia.org/r/757488

gerritbot added a project: Patch-For-Review.Jan 26 2022, 5:31 PM
jhathaway added a comment.Jan 27 2022, 2:53 PM

@NRodriguez would you kindly send your ssh public key via google chat, or via phabricator with the Add Action Sign with MFA option when you post? Thanks!

jhathaway added a comment.Jan 27 2022, 3:47 PM

@NRodriguez confirmed their public key via gchat

gerritbot added a comment.Jan 27 2022, 3:48 PM

Change 757488 merged by JHathaway:

[operations/puppet@production] NRodriguez: add new production ssh key

https://gerrit.wikimedia.org/r/757488

jhathaway added a comment.Jan 27 2022, 3:49 PM

@NRodriguez this change has been committed, should be ready to test in 30 or so minutes.

Maintenance_bot removed a project: Patch-For-Review.Jan 27 2022, 4:11 PM
Ladsgroup subscribed.Jan 31 2022, 9:11 AM

Hi @NRodriguez, Can you access production now? So we can close this ticket. Thanks!

Ladsgroup closed this task as Resolved.Feb 2 2022, 7:31 AM

I boldly close this to remove it from our board. Reopen if you have issues accessing.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL