Page MenuHomePhabricator
Create Task
Maniphest T84703

Generate SSH key pair for MediaWiki deployment
Closed, ResolvedPublic
Actions

Description

Author: ori

Description:

(For context, see the thread '[Ops] Shared ssh key' from October.)
Here's what we need next to transition scap to a securely-shared deployment key model:
* Create a private / public key pair for MediaWiki deployments. The private key should have a passphrase.
* Put the public key in operations/puppet:modules/mediawiki/files/authorized_keys.mwdeploy (currently just a placeholder).
* Put the private key in the private Puppet repository as files/ssh/tin/mwdeploy_rsa.
* Provision the private key on tin by merging <https://gerrit.wikimedia.org/r/172919>.
* Disseminate the private key's passphrase to roots, either by adding it to the private Puppet repository, or via some other secure mean. (Chris Steipp's preference is to not have the passphrase in the private Puppet repository.)

Details

Reference
rt8857

Event Timeline

rtimport raised the priority of this task from to Medium.Dec 18 2014, 2:18 AM
rtimport added projects: acl*sre-team, ops-requests.
rtimport set Reference to rt8857.
rtimport created this task.Nov 13 2014, 12:35 AM
Dzahn added a comment.Nov 13 2014, 2:27 AM

Issue taken by dzahn

Dzahn added a comment.Nov 13 2014, 9:33 PM

all done as requested. thanks for the detailed preparation.
private key added to private repo, public key added to public repo,
merged the change to provision private key on tin and watched it.
<root at tin:~/> ls
authorized_keys known_hosts mwdeploy_rsa
passphrase in /srv/passwords/mediawiki-deployment-key-passphrase on iron

rtimport added a comment.Nov 13 2014, 9:33 PM

Status changed from 'new' to 'open' by RT_System

Dzahn added a comment.Nov 13 2014, 9:35 PM

key length is 4096 bits. passphrase is 20 chars a-zA-Z0-9
merged: https://gerrit.wikimedia.org/r/#/c/173103/
merged : https://gerrit.wikimedia.org/r/#/c/172919/

Dzahn added a comment.Nov 13 2014, 9:35 PM

Status changed from 'open' to 'resolved' by dzahn

Dzahn changed the visibility from "WMF-NDA (Project)" to "All Users".Apr 1 2015, 2:07 AM
Dzahn changed the edit policy from "WMF-NDA (Project)" to "All Users".
Dzahn set Security to None.
Dzahn changed the visibility from "All Users" to "Public (No Login Required)".Apr 1 2015, 2:23 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL