Maniphest T420213

Deprecate and remove 'bastion-restricted' hosts
Open, LowPublic
Actions

Assigned To

Authored By

	Andrew
	Mar 16 2026, 1:52 PM

Description

The restricted bastion was created long ago back when we recommended ssh agent forwarding for VM access. Out of an abundance of caution, we had people with root keys forward through a separate bastion to avoid the risk of key sniffing.

We no longer use forwarding, and haven't been especially compulsive about segregating ssh traffic between the different bastions. We should just eliminate the special bastions and standardize on everyone using standard public bastions; this will slightly simplify our setup and also ensure that admins are drinking the same champagne as our users.

Event Timeline

Andrew created this task.Mar 16 2026, 1:52 PM

Restricted Application added a project: cloud-services-team. · View Herald TranscriptMar 16 2026, 1:52 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

bd808 awarded a token.Mar 16 2026, 9:48 PM

FWIW I see some value in having the cumin authorized_keys entries have an IP restriction on a host not accessible to most people, but otherwise agree with the proposal.

Andrew triaged this task as Low priority.Mar 18 2026, 2:47 PM

In T420213#11719139, @taavi wrote:

FWIW I see some value in having the cumin authorized_keys entries have an IP restriction on a host not accessible to most people, but otherwise agree with the proposal.

Can you tell me more about what this would look like? Do you mean that there would be a 'bastion-cumin' host for cumin access, and then we retool all the pam restrictions to permit bastion and root logins only on that host?

Deprecate and remove 'bastion-restricted' hostsOpen, LowPublicActions

Description

Event Timeline

Deprecate and remove 'bastion-restricted' hosts
Open, LowPublic
Actions