Page MenuHomeMiraheze

[ACCESS REQUEST] New access for labster
Closed, DeclinedPublic

Description

Shell name: labster
SSH Key (if new access):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1nVOBb+Wv1ZZWJ7sKjhCUikTQurJlcrmSWlLglOg8/jn0c4PJXXmxEjZD4cmLfDX8rV9LP125sdxUdlINbicMgDjYlA6+2kHF3Qf2Mfi6TJ89//URNFKriFAeoZmKOxMPQ1gMUW3C0hwUyd6d79YcRD55iWEYIYEl0j6/3M+Bb6Z9jqJvcScaeMhe+AtJ33wOO/oZFsJXn5Lolxsv1aX9XjYbwsJcnGGPXi9OegS3Q1AT4ctD+NSaOwzosskuyYEwaRda5GaaZ0YjTVA+5GfKSiICRGKZkKigGEvrFUyGx2TOM2x7KiYYwELwAdapObFHJvv9AQ6K/SmzNb3h7jtFlPc6cOpzRcejabM4ze4ny0IIfnUstRSIrgE0O4VSb5aI0+SlDCUXyjREJQ+FXKw48zTWENqPBifIJDYISKudi+BVskVzRTSbgi4fRD1JqHs6QYg9tC/gIMv4dC+mlj5EQ5oMIAKgpoUmoVrW+QvEb43AAMWQpqUh8LqRcsMY1qaS5uNlMwl8CC10ncp1Sur4SlJ5zXWmJzrFMeZnpdAX/uHHt5HKyqJnPExR3KPu+EuLjfw2iy50lo+/sWowMkFZimAkO4BrbFOBJ/xW+vBgVPRtenaJjaOrSBT0WZD68ch7VC+y9sOs58yQ21mqksVro8QGq6LdndhoB9rB0qPU/Q== [email protected]

Requested access: mw-admins / graylog

Rationale for access: I'd like to be able to at least investigate bugs as they come in on Phorge, and if not figure out how to fix them, at least be able to gather information for others.

Event Timeline

This isn't a hard requirement just better for config, is it possible for you to use an ed25519 key instead of rsa? I personally prefer that but it is really up to you.

Universal_Omega renamed this task from [ACCESS REQUEST] New/Expanded access for [USERNAME] to [ACCESS REQUEST] New access for labster.Apr 29 2024, 03:31
Universal_Omega claimed this task.
Universal_Omega moved this task from Radar to Access on the Technology-Team board.

Honestly I haven't thought much about it key type. I do have my RSA key deployed in other places, though, so I'd need to generate a new key and configure it.

Honestly I haven't thought much about it key type. I do have my RSA key deployed in other places, though, so I'd need to generate a new key and configure it.

You need a new key regardless. Policy requires that keys in use on Miraheze infrastructure can only be used on Miraheze and can't be used anywhere else.

Policy requires that keys in use on Miraheze infrastructure can only be used on Miraheze and can't be used anywhere else.

Yeah, but we're on WikiTide infra now, right?

Seriously, can you explain the threat model that is mitigated by this policy? All I can think of is "user was already compromised before joining" (unlikely, if so the new key may be compromised too) and "user doesn't use ssh agent forwarding" (epic fail, should not be given access in the first place), or "user isn't technical enough to edit .ssh/config" (a test?). I'm not opposed to just doing it, it just feel like magical thinking to me, and not a security trade-off worth making in an all-volunteer organization. Keys do not "wear out" over time, they are either compromised or not.

I see it was added here, is that a policy we want to keep?

The policy can be reevaluated but for now I will maintain it. Can you please generate a new key for Miraheze/WikiTide? Preferably ssh-ed25519?

Thanks!

I see it was added here, is that a policy we want to keep?

It was added long before that. The pages were just reorganised. I'd guess the policy has probably always been in place as it matches the wikimedia foundation's policy.

Once a new key is generated, I will approve this access request only for Bastion and Graylog access. But not full MW access as the rationale does not indicate the need for it.

Uninvolved observer wanting to comment: this request hasn't been edited in more than a week, is there still a desire for this to be active and open?

This is declined for lack of response. And if there is no response to an access request then the need seems to be nonexistent or at least not very serious, as such I am declining this.

Well, it was serious to begin with, but then between everyone's reactions here and on-wiki, I realized that Miraheze doesn't really want volunteers for any roles, technical or community.

A minor note to any observers looking to volunteer: we are most certainly in need of volunteers/assistance for all roles, and would appreciate the time that people have to donate, if able. :)