Page MenuHomePhabricator
Create Task
Maniphest T337037

Replacing SSH key for Itamar Givon
Closed, DeclinedPublicRequest
Actions

Description

As I have obtained a YubiKey 5, I decided to utilize it for my SSH access as an extra layer of security. Since YubiKey 5 and up support ed25519-sk keys, I'd like to replace my current ed25519 with the new one:

sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIImpM6x/HDnRKSFmu8i0RmVlJ32Wem77JOOBJltpJzI7AAAABHNzaDo= itgi@C285

Additional information (in case it's required):

  • Wikitech username: Itamar Givon
  • Email address: itamar.givon@wikimedia.de

Details

SubjectRepoBranchLines +/-
Add new key generated with a security keyoperations/puppetproduction+1 -0
[DNM] Remove old ssh keyoperations/puppetproduction+0 -1
Customize query in gerrit

Related Objects

Event Timeline

ItamarWMDE created this task.May 19 2023, 1:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 19 2023, 1:43 PM
taavi subscribed.May 19 2023, 1:46 PM

Please note that not all of our servers have -sk support yet, it's only on systems running Bullseye or newer.

ItamarWMDE added a comment.May 19 2023, 1:48 PM

Aha! Yeah I was wondering about that earlier. Will this suffice for running scripts on the maint machines and occasionally performing tasks on stat machines?

gerritbot added a comment.May 19 2023, 2:06 PM

Change 921356 had a related patch set uploaded (by Itamar Givon; author: Itamar Givon):

[operations/puppet@production] Add new key generated with a security key

https://gerrit.wikimedia.org/r/921356

gerritbot added a project: Patch-For-Review.May 19 2023, 2:06 PM
gerritbot added a comment.May 19 2023, 2:09 PM

Change 921359 had a related patch set uploaded (by Itamar Givon; author: Itamar Givon):

[operations/puppet@production] [DNM] Remove old ssh key

https://gerrit.wikimedia.org/r/921359

ItamarWMDE added a comment.May 19 2023, 2:19 PM

Seeing now that the maint and stat machines are still on buster. Don't mind stalling it until an upgrade to bullseye.

Dzahn changed the task status from Open to Stalled.May 19 2023, 5:07 PM
Dzahn subscribed.
In T337037#8864974, @ItamarWMDE wrote:

Seeing now that the maint and stat machines are still on buster. Don't mind stalling it until an upgrade to bullseye.

You can track upgrade of stat machines to bullseye at T329360. mwmaint probably first need their own ticket and that be added to global task T291916.

Restricted Application added a project: User-ItamarWMDE. · View Herald TranscriptMay 19 2023, 5:09 PM
ssingh subscribed.Jun 19 2023, 5:15 PM

For posterity: Stalled on the bullseye upgrade.

ssingh moved this task from Untriaged to Awaiting User Input on the SRE-Access-Requests board.Jun 19 2023, 5:15 PM
Dzahn added a comment.Jun 29 2023, 8:45 PM

Since we are not sure how much longer it will take for T329360 and because this ticket would now sit in "stalled" and be checked by a different person on clinic duty each week, how about this:

a) we add the new key in parallel to the old key right now, knowing it won't work yet, but we can still call the ticket resolved.. since why not.. it will then work in the future whenever.. and then you can ask for the old key to be removed after confirming

b) we close this as declined but when the time comes you simply click on "reopen". since.. that's easy.. right.. and nothing has to be recreated.. but it keeps people from checking on the status repeatedly.

Dzahn assigned this task to ItamarWMDE.Jun 29 2023, 8:55 PM
ItamarWMDE added a comment.Jul 7 2023, 8:45 AM

Sounds like a good idea to me, thank you for the suggestion @Dzahn

Dzahn closed this task as Declined.Jul 7 2023, 5:27 PM

Alright! thanks. Well, then let's pick option b). I close this as Declined but it really means "just for now" and once you see this is ready, please just click "reopen" and it should continue as normal. Cheers

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL