[10:01:16] <Amir1>	 joe: I'm working on integrating shellbox in beta with mw nodes. Is it fine if I make a patch adding setting in puppet (to be filled from private for production)
[10:07:00] <Amir1>	 oh it doesn't need puppet
[10:07:07] <Amir1>	 it's another private repo
[14:33:08] <hnowlan>	 anyone who cares about the scant number of postgres instances we have (more or less only maps and puppetdb afaik?), I'd like to change how we provision replicas 
[14:33:13] <hnowlan>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/700071
[14:34:07] <volans>	 we have also netbox with postgres
[14:45:54] <volans>	 hnowlan: ^^^ I've also commented on the CR
[14:45:55] <volans>	 thx
[14:46:05] <hnowlan>	 thanks! 
[17:54:57] <ottomata>	 moritzm: jbond elukey, does anyone ever use ssh keys for 2fa/ SSO?
[17:55:18] <ottomata>	 Wondering how YubiKeys are any better than ssh keys...kind of the same?   
[17:56:15] <ottomata>	 i guess YubiKey is removable hardware, so you can separate the key from your computer easily, but aside from that does it provide any extra security?
[17:57:00] <ottomata>	 ccccccvelljddccllcnnjurhgvdcntucnufhuvdncjgg
[17:57:02] <ottomata>	 hha
[17:57:10] <ottomata>	 wow yubikey loves to do that
[17:58:07] <legoktm>	 yubikeys are also phish resistant, since they will only return the correct token for e.g. "en.wikipedia.org" and can't get fooled by "en.vvikipedia.org". idk how ssh keys fare in that regard
[17:59:14] <ottomata>	 oh interesting, so the first time i logged into idp with my yubikey, it created a token specifcialy for wikipedia.org?
[18:03:09] <legoktm>	 "idp.wikimedia.org", but yeah
[18:05:10] <apergos>	 that was the best ever, I kinda want to bash that
[18:07:59] <moritzm>	 yeah, essentially there's a secret key on the token which is validated by the application (he the IDP) via a challenge response protocol. if the token gets lost, the old ID needs to be unregistered and replaced with the ID of your replacement token