[16:13:44] <jhathaway>	 anyone around to take a look at https://gerrit.wikimedia.org/r/c/operations/puppet/+/751990?
[16:14:17] <jhathaway>	 never mind, jbond is taking a look
[21:14:39] <ottomata>	 mutante: yt? razzi  has a q about verifying user ssh keys 
[21:14:44] <ottomata>	 he's working on https://phabricator.wikimedia.org/T298786
[21:18:41] <mutante>	 ottomata: yes, I am here.  what is the question?
[21:18:52] <mutante>	 is it "how to check this person in phab is who they say"?
[21:20:09] <mutante>	 the other thing is to check it's not the same key they use in cloud, that can be done via ldapsearch or that cross-validate-accounts script 
[21:22:18] <razzi>	 mutante: the question is about how to ensure the ssh key is the right one. It looks like we want to confirm a second source other than the phabricator ticket, but I wasn't clear on the exact process
[21:23:47] <mutante>	 razzi: I see. Yea, when it says "second source" it means in practice you can pick yourself between "quick google meet", "have them sign with GPG", "call them" or something that you come up with that confirms it is legit. so we don't trust only the phab user
[21:24:21] <razzi>	 A second issue is regarding the cross-validate-account script: when I ran it I got a lot of lines like "Malformed membership for ops user dzahn, has additional group(s): {'deployment-ci-admins'}" - even when I introduced a deliberate typo into the --ssh-key parameter the same "malformed membership" lines came as output, and it didn't say anything about the parameters I passed
[21:24:49] <razzi>	 Ok I think I'll ask her to upload her ssh key on her officewiki account
[21:25:11] <mutante>	 I noticed this as well in the emails we get from this script but have no idea why it is. We should make a ticket for that and and ask infra-foundations
[21:25:29] <mutante>	 the "malformed membership" thing is new
[21:25:42] <mutante>	 yes, officewiki sounds fine as well to me
[21:26:30] <mutante>	 razzi: you can use ldapsearch -x on mwmaint1002 to search for them and manually look at the key in there
[21:26:35] <mutante>	 that is their cloud key
[21:26:54] <mutante>	 same thing that you would check with cross-validate-account
[21:27:00] <razzi>	 got it, I'll try that
[21:28:10] <razzi>	 I think we can streamline the onboarding process by formalizing the access request ssh key second source
[21:29:02] <urbanecm>	 razzi: I'm not sure you can formalize it much. Maybe for staff some of the staff-only sources is doable. But there are volunteers with shell
[21:29:09] <mutante>	 we could list ways that are considered valid, yea
[21:29:39] <mutante>	 I think "verified in video meeting" is common but I think the best ones don't require realtime
[21:30:20] <razzi>	 that is true urbanecm, At least for staff we should add a step to the onboarding document, and we can say "if you're staff ..." on the generic production access doc
[21:30:31] <mutante>	 semi-relatedly, try "sudo check_user <email>" on cumin1001
[21:30:52] <mutante>	 that tells you whether a developer account is linked to a WMF account
[21:30:56] <urbanecm>	 yeah, definitely. I'm just saying i wouldn't be able to follow a procedure that ie. says "put sth on officewiki"
[21:30:59] <mutante>	 kinda of new
[21:32:48] <mutante>	 phabricator also has that feature to sign a message
[21:34:00] <cdanis>	 yeah I've used that before -- it forces a fresh 2FA
[21:36:15] <razzi>	 mutante: for ldapsearch -x I didn't see anything for her username, so I guess she hasn't created a wikitech username yet? I guess it's not a blocker, but it seems less than ideal because s he could always reuse the production key when she gets to that part
[21:37:12] <taavi>	 it is a blocker, as you need to get the user id number from ldap
[21:37:41] <mutante>	 razzi: what taavi said, you want to match that user, so they kind of have to create that first
[21:37:56] <mutante>	 you want the same UID for both
[21:38:13] <mutante>	 try searching by email too though
[21:38:18] <mutante>	 maybe they have a different name
[21:38:32] <mutante>	 with ldapsearch it is  mail=  
[21:39:34] <mutante>	 if there is nothing yet at all I would assign that ticket to them and say "please create your wikitech user and then assign it back"
[21:40:36] <taavi>	 razzi: I see it on ldap https://phabricator.wikimedia.org/P18418
[21:41:19] <razzi>	 ok cool thanks taavi , I was using ldapsearch incorrectly then I suppose
[21:42:55] <mutante>	 there is uid=  and cn=  and sn=  and they can all be different ..or not
[21:43:30] <mutante>	 so it's easy to miss one, mail=  though should be pretty reliable, as long as they use @wikimedia.org as we would like them to if they are staff
[21:44:08] <mutante>	 example: [mwmaint1002:~] $  ldapsearch -x mail=snw*
[21:44:15] <mutante>	 with wildcard
[21:45:54] <razzi>	 cool yeah mail= works well and is easy to remember :)
[21:47:16] <mutante>	 so yea, use uid 36868 also in a prod shell account
[21:47:42] <mutante>	 that's just how we avoid duplicates
[21:57:47] <razzi>	 Created the ticket for cross-validate-accounts at https://phabricator.wikimedia.org/T298815 assigned to Infrastructure-Foundations
[21:59:46] <mutante>	 cool, thanks! I had been wondering about that just earlier today
[22:00:12] <mutante>	 because of the mail that it sends to root
[23:50:11] <mutante>	 please start by asking https://phabricator.wikimedia.org/p/Lens0021/ directly
[23:50:21] <mutante>	 eh, wrong channel :)