[03:35:14] <JJMC89>	 !log copypatrol delete copypatrol-backend-prod-01
[03:35:16] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Copypatrol/SAL
[22:01:04] <AntiComposite>	 https://phab-ban.toolforge.org/ is Internal Server Error-ing
[22:01:22] <AntiComposite>	 cc bd808 ^
[22:01:40] <bd808>	 cute. let me see what I can do
[22:04:28] <wm-bot>	 !log bd808@tools-bastion-12 tools.phab-ban Restarted after irc report of 500 error output. Looks like an NFS blip messed things up at last startup.
[22:04:31] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.phab-ban/SAL
[22:04:56] <bd808>	 AntiComposite: i think it is back up now
[22:06:13] <bd808>	 I have been waiting for push-to-depoy to be working for webservices to convert a bunch of apps like that one to buidpacks. Getting away from NFS will make them more stable.
[22:11:48] <AntiComposite>	 bd808, if you need someone to test it on, https://phabricator.wikimedia.org/p/RIA_LESTARI_WEBSTER/ seems like a decent candidate
[22:13:50] <bd808>	 https://phabricator.wikimedia.org/p/T200856-01 is my lockout test, but that does look like a weird spam post at https://phabricator.wikimedia.org/T198221#11110858
[22:14:15] <bd808>	 oh yeah. 2 days old & blocked all over the place
[22:15:36] <bd808>	 AntiComposite: disabled
[23:46:53] <wm-bb>	 <rfc2812> wrt https://wikitech.wikimedia.org/w/index.php?title=Managing_multiple_SSH_agents - why doesn’t one just disable agent forwarding while keeping both keys in the same agent? given that forwarding is disabled in the example config, it doesn’t seem like that’d be much of a stretch?
[23:55:07] <wm-bb>	 <lucaswerkmeister> yeah, that page looks weird to me… I’d say we want to encourage ProxyJump (-J), not forwarding your agent to a bastion (regardless of how many keys are in it)
[23:55:31] <wm-bb>	 <lucaswerkmeister> but apparently the page has been edited by quite a few WMFers over the years so I’m interested if anyone else has something to say on it :)
[23:57:51] <bd808>	 "forwarded" is maybe the wrong word there. If you have N keys in your agent by default ssh will try all of them in series until access is granted. Note the `ForwardAgent no` in the host config at the end of the page. So that is more defense.
[23:58:45] <mutante>	 I think when the first version of that page was written we did not even have ProxyJump -J
[23:59:24] <wm-bb>	 <lucaswerkmeister> yeah, I remember when you had to cobble together the ProxyCommand yourself *shudder*