Page MenuHomePhabricator
Create Task
Maniphest T331554

New production ssh key for sbassett
Closed, ResolvedPublic
Actions

Description

Hello SRE -

Unfortunately, there was (yet again) a small chance that the password for my wmf production ssh key was briefly exposed during a potential, recent browser compromise. Out of an abundance of caution, please disable my current wmf production ssh key and replace it with this newly-generated key:

Shell username: sbassett
Public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII+sxoeXf+6EkBRb/NKz2L0nDWtA2Rq0Fo8aEP/n0CNW sbassett@wikimedia.org

I'm happy to verify in any way that this is a legitimate request. And apologies for the inconvenience.

Details

SubjectRepoBranchLines +/-
admin: update sbassett ssh keyoperations/puppetproduction+2 -1
admin: remove ssh key for sbassettoperations/puppetproduction+1 -2
Customize query in gerrit

Event Timeline

sbassett created this task.Mar 8 2023, 7:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 8 2023, 7:00 PM
gerritbot added a comment.Mar 8 2023, 9:59 PM

Change 895869 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] admin: remove ssh key for sbassett

https://gerrit.wikimedia.org/r/895869

gerritbot added a project: Patch-For-Review.Mar 8 2023, 9:59 PM
gerritbot added a comment.Mar 8 2023, 10:09 PM

Change 895869 merged by Dzahn:

[operations/puppet@production] admin: remove ssh key for sbassett

https://gerrit.wikimedia.org/r/895869

Maintenance_bot removed a project: Patch-For-Review.Mar 8 2023, 10:10 PM
Dzahn subscribed.Mar 8 2023, 10:12 PM

Normally these are handled by the SRE on clinic duty but since it's late in Europe and to be on the safe side I just revoked the existing key and ran puppet on bast* hosts for right now.

Verification and adding the new key can happen independently.

Dzahn changed the task status from Open to In Progress.Mar 8 2023, 10:19 PM
Dzahn moved this task from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.
sbassett added a comment.Mar 8 2023, 11:20 PM
In T331554#8678099, @Dzahn wrote:

Normally these are handled by the SRE on clinic duty but since it's late in Europe and to be on the safe side I just revoked the existing key and ran puppet on bast* hosts for right now.

Ok, thanks. Yeah, probably best to just disable my access for now. It's not critical that I have it for likely a few days.

Dzahn added a comment.Mar 8 2023, 11:35 PM

Ok great, thanks for confirming that. Then I will just leave this open until tomorrow. Cheers

gerritbot added a comment.Mar 9 2023, 9:34 AM

Change 896024 had a related patch set uploaded (by MVernon; author: MVernon):

[operations/puppet@production] admin: update sbassett ssh key

https://gerrit.wikimedia.org/r/896024

gerritbot added a project: Patch-For-Review.Mar 9 2023, 9:34 AM
MatthewVernon subscribed.Mar 9 2023, 9:36 AM

@sbassett I've opened a CR to update your ssh key - if you can confirm it's correct and +1 the CR, I'll merge it.

MatthewVernon moved this task from Manager/NDA Approval/Confirmation to Patch in Review on the SRE-Access-Requests board.Mar 9 2023, 9:36 AM
sbassett added a comment.Mar 9 2023, 6:14 PM
In T331554#8678974, @MatthewVernon wrote:

@sbassett I've opened a CR to update your ssh key - if you can confirm it's correct and +1 the CR, I'll merge it.

Thanks! Just confirmed on the change set.

gerritbot added a comment.Mar 10 2023, 9:56 AM

Change 896024 merged by MVernon:

[operations/puppet@production] admin: update sbassett ssh key

https://gerrit.wikimedia.org/r/896024

MatthewVernon closed this task as Resolved.Mar 10 2023, 9:57 AM
MatthewVernon claimed this task.

@sbassett done.

Maintenance_bot removed a project: Patch-For-Review.Mar 10 2023, 10:10 AM
sbassett awarded a token.Mar 10 2023, 3:25 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL