Page MenuHomePhabricator

Grant Access to wmf,ops for arnaudb
Closed, ResolvedPublic

Description

  • The username of your existing account on wikitech.wikimedia.org:

arnaudb

  • Do you currently have shell access (Yes/No)?

No

  • Purpose (Specify which service you need to get access to, e.g. Icinga, Grafana, Superset etc):

Everything SREs require, I'm in the data-persistence team

  • The specific LDAP group that you want to be added to (optional):

wmf, ops

Event Timeline

jcrespo triaged this task as High priority.

Owning it as we will do it slowly for learning it purposes (Clinic duty person is aware).

Change 953593 had a related patch set uploaded (by Jcrespo; author: Jcrespo):

[operations/puppet@production] Add abran to the list of privileged LDAP users

https://gerrit.wikimedia.org/r/953593

Ldap groups added:

root@mwmaint1002:~$ ldapsearch -x cn=wmf | grep arnaudb
member: uid=arnaudb,ou=people,dc=wikimedia,dc=org
✔ root@mwmaint1002:~$ ldapsearch -x cn=ops | grep arnaudb
member: uid=arnaudb,ou=people,dc=wikimedia,dc=org
✔

Change 953593 merged by Jcrespo:

[operations/puppet@production] admin: Add abran to the list of privileged LDAP users

https://gerrit.wikimedia.org/r/953593

~ $ ssh -v bast1003.eqiad.wmnet
OpenSSH_9.0p1, OpenSSL 3.0.9 30 May 2023
debug1: Reading configuration data /home/doo/.ssh/config
debug1: /home/doo/.ssh/config line 28: Applying options for *.wmnet
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/doo/.ssh/config
debug1: /home/doo/.ssh/config line 28: Applying options for *.wmnet
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -v -W '[%h]:%p' bast
debug1: Executing proxy command: exec ssh -v -W '[bast1003.eqiad.wmnet]:22' bast
debug1: identity file /home/doo/.ssh/id_ed25519 type 3
debug1: identity file /home/doo/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
OpenSSH_9.0p1, OpenSSL 3.0.9 30 May 2023
debug1: Reading configuration data /home/doo/.ssh/config
debug1: /home/doo/.ssh/config line 20: Applying options for bast
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/doo/.ssh/config
debug1: /home/doo/.ssh/config line 28: Skipping Host block because of negated match for bast*.wikimedia.org
debug1: /home/doo/.ssh/config line 33: Applying options for bast*.wikimedia.org
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to bast6002.wikimedia.org [185.15.58.42] port 22.

ssh_config:

ForwardAgent no
CanonicalizeHostname yes

Host *.local *.dooby.fr *.arnaudb.net
     User root

# Turn CanonicalizeHostname on for Match to work below.
CanonicalizeHostname yes

# Defaults for all Wikimedia Foundation hosts.
Match host=*.wikimedia.org,*.wmnet
    ForwardAgent no
    IdentitiesOnly yes
    KbdInteractiveAuthentication no
    PasswordAuthentication no
    User arnaudb

# Configure the initial connection to the bastion host, with the one
# HostName closest to you.
Host bast
    HostName bast6002.wikimedia.org
    IdentityFile ~/.ssh/id_ed25519
    # In theory this User line shouldn't be necessary due to the Match above,
    # but in practice it seems to be.  In any case, it doesn't hurt.
    User arnaudb

# Proxy all connections to internal servers through the bastion host.
Host *.wmnet *.wikimedia.org !gerrit.wikimedia.org !bast*.wikimedia.org !gitlab.wikimedia.org
    ProxyJump bast
    IdentityFile ~/.ssh/id_ed25519

# Configure direct connection to the bastion hosts.
Host bast*.wikimedia.org
    IdentityFile ~/.ssh/id_ed25519

Host gerrit.wikimedia.org
    Port 29418
    IdentityFile ~/.ssh/id_ed25519

without ssh_config:

$ ssh -o identitiesonly=yes -o forwardagent=no -o kbdinteractiveauthentication=no -opasswordauthentication=no -l arnaudb -i ~/.ssh/id_ed25519 -v bast4004.wikimedia.org 

gives me:

$ ssh -o identitiesonly=yes -o forwardagent=no -o kbdinteractiveauthentication=no -opasswordauthentication=no -l arnaudb -i ~/.ssh/id_ed25519 -v bast4004.wikimedia.org 
OpenSSH_9.0p1, OpenSSL 3.0.9 30 May 2023
debug1: Reading configuration data /home/doo/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/doo/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Connecting to bast4004.wikimedia.org [198.35.26.11] port 22.

Ultra verbose:

~ $ ssh -o identitiesonly=yes -o forwardagent=no -o kbdinteractiveauthentication=no -opasswordauthentication=no -l arnaudb -i ~/.ssh/id_ed25519 -vvvvvvvvv bast4004.wikimedia.org 
OpenSSH_9.0p1, OpenSSL 3.0.9 30 May 2023
debug1: Reading configuration data /home/doo/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host bast4004.wikimedia.org originally bast4004.wikimedia.org
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug2: resolve_addr: could not resolve name bast4004.wikimedia.org as address: Name or service not known
debug3: resolve_canonicalize: not canonicalizing hostname "bast4004.wikimedia.org" (max dots 1)
debug1: re-parsing configuration
debug1: Reading configuration data /home/doo/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host bast4004.wikimedia.org originally bast4004.wikimedia.org
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/doo/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/doo/.ssh/known_hosts2'
debug2: resolving "bast4004.wikimedia.org" port 22
debug3: resolve_host: lookup bast4004.wikimedia.org:22
debug3: ssh_connect_direct: entering
debug1: Connecting to bast4004.wikimedia.org [198.35.26.11] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48