[08:04:30] !log tools.bridgebot Double IRC messages to other bridges [08:04:31] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.bridgebot/SAL [21:34:06] Hey all, I am trying to clone a private repo from my own Github account via SSH from within a tool account on Toolforge -- and it fails (permission denied). When doing so from my dev account, it works (since SSH agent forwarding is active, and Github knows the public key). [21:34:11] So, becoming the tool account seems to break the agent forwarding. Can I somehow make this happen using the tool account? Can't find anything related on wikitechwiki, unfortunately. [21:39:35] I'm not sure if you can directly ssh to the tool account [21:39:49] you could clone it from your account [21:39:54] then move it to the tool account [21:42:29] MisterSynergy: don't forward your SSH key! GitHub allows you to create a "deployment SSH key" that you can add to your tool [21:42:37] also note that all code on Toolforge must be open source [21:42:37] mh, should be simple. I coult possibly also auth via HTTPS + some password from within the tool account, but all of this seems unnecessarily comlicated [21:42:52] https://docs.github.com/en/developers/overview/managing-deploy-keys [21:43:15] https://docs.github.com/en/developers/overview/managing-deploy-keys#deploy-keys this section specifically [21:43:27] it's not about hiding the source code, it is accessible on Toolforge anyways. I just want to manage it on Gtihub, but not reveal much activity there publicly [21:43:36] k, will have a look ... [21:44:55] Btw. "agent forwarding" is recommended at several places on wikitechwiki [21:46:28] link please? [21:46:37] I actually thought we had agent forwarding banned, it's insecure [21:46:49] screenshots in https://wikitech.wikimedia.org/wiki/Help:Access_to_Toolforge_instances_with_PuTTY_and_WinSCP [21:47:03] explicitly stated in https://wikitech.wikimedia.org/wiki/Help:Putty [21:47:07] possibly other places [21:47:33] Much of that seems dated anyways, but if it is problematic, it should probably be updated [21:48:35] hmmm, I will need to double check with someone more familiar with Windows if it's still needed [21:51:16] you never needed to allow agent forwarding with Putty [21:51:31] or at least it wasn't needed many years back [21:51:32] the Github deploy key in the tool account probably needs some chmod 400 or so to restrict visibility, right? [21:51:53] yes [21:52:03] in fact, ssh would probably complain otherwise [21:52:13] in theory ssh will yell at you if it has insecure permissions...yeah [21:53:55] it doesn't even tell you how to jump to another host [21:54:07] so the agent forwarding mention seems unneeded [21:55:29] maybe people is running ssh directly from the bastion? [21:56:06] the way to do the jump with putty would be to have putty run plink [21:56:12] Toolforge has a direct ssh/login host to avoid people needing to mess with ProxyCommand/forwarding [21:56:13] I don't remember the incantation needed [21:57:05] the jump is explained in: https://wikitech.wikimedia.org/wiki/Help:Access_to_Cloud_VPS_instances_with_PuTTY_and_WinSCP [21:57:37] so those forwardings seem wrong, indeed [22:08:04] alright, the deploy key works as desired. thanks for the help! [22:08:50] the newly generated ssh key is indeed properly protected right from the creation with ssh-keygen [23:40:56] the forwarding does actually make sense for how https://wikitech.wikimedia.org/wiki/Help:Putty#Connecting_to_your_instance details the access [23:41:02] but it's not the Rightâ„¢ way to do it