[02:54:17] <gerrit-wm>	 New patchset: Hydriz; "Deploying Extension:Labeled Section Transclusion to hydrizwiki." [labs/incubator] (master) - https://gerrit.wikimedia.org/r/24684
[02:56:17] <gerrit-wm>	 Change merged: Hydriz; [labs/incubator] (master) - https://gerrit.wikimedia.org/r/24684
[05:49:19] <wm-bot>	 Change on 12mediawiki a page Developer access was modified, changed by Jeremyb link https://www.mediawiki.org/w/index.php?diff=586206 edit summary: /* User:Gerx03 */ done
[17:05:57] <labs-home-wm>	 09/23/2012 - 17:05:57 - Updating keys for stwalkerster at /export/keys/stwalkerster
[18:44:02] <GChriss>	 I'm still unable to gain sudo root access on stock instance builds -- does this work as expected for others?
[18:44:51] <GChriss>	 at least on ubuntu-12.04-precise, puppet config is adding files into /etc/sudoers.d/ so there's that
[18:46:52] * GChriss  just found https://bugzilla.wikimedia.org/show_bug.cgi?id=39788

[18:48:28] <GChriss>	 ...if passwordless sudo aren't enabled, how does one get root access to instances?
[18:56:18] <jeremyb>	 GChriss: reload the bug
[18:57:13] <GChriss>	 oh.
[18:57:15] <GChriss>	 that works.
[18:57:23] <GChriss>	 but way less secure than I was expecting
[18:57:53] <jeremyb>	 so you're root?
[18:58:30] <GChriss>	 yes
[18:58:37] <jeremyb>	 good ;)
[18:59:33] <jeremyb>	 DQ|sleep: timezone?
[18:59:47] <GChriss>	 I'm guilty of using a fairly simple password for all public wikis (e.g., WMF universal signon), but use a strong password for anything SSH-based
[18:59:59] <DQ|sleep>	 Eastern, I know, my sleep is messed up
[19:00:02] <GChriss>	 and by extension gerrit and labsconsole 
[19:00:07] <jeremyb>	 haha!
[19:00:36] <GChriss>	 so to have a weak password be blended into the ssh-stuff, well... it's not ideal
[19:00:46] <jeremyb>	 GChriss: well there is the 2 factor thing. but yeah, i brought up this very topic long ago
[19:01:14] <GChriss>	 it would be better if this was explicitly spelled out in the signup process, so at least people know
[19:02:06] <jeremyb>	 know to use a strong password? that's a separate issue. i was talking about not using a sudo password that's the same password that can be used to get even more power than sudo
[19:02:22] <jeremyb>	 and that's where the idea of going passwordless came from
[19:03:12] <jeremyb>	 but re making it strong: if they have (or can guess or whatever) your labsconsole password then they can just add their own key to your account
[19:03:30] <jeremyb>	 so regardless of sudo it should be strong anyway
[19:05:31] <GChriss>	 agreed, but not immediately obvious to newbies (like me).  labsconsole looks a lot like the all the other WMF wikis
[19:11:53] <jeremyb>	 GChriss: well feel free to suggest wording or where to put it ;)
[19:12:04] <jeremyb>	 Thehelpfulone: ^^
[19:38:32] <GChriss>	 editing now
[19:50:10] <Damianz>	 GChriss: There are sudo policies per project so in bots for example not everyone can access the sql servers etc.
[19:50:19] <Damianz>	 By default anyone can sudo to anything though
[19:50:31] <Damianz>	 And you should use a secure password regardless, otherwise you're open to escalation attacks
[19:51:12] * Damianz  thinks we should document how sudo-ldap is setup probably

[20:01:44] <GChriss>	 updated [[Help:Sudo_Policies]]
[20:03:02] <GChriss>	 yup, just got the secure password part
[20:04:32] <GChriss>	 although all of this is only as strong as  'E-mail new password'
[20:05:38] <GChriss>	 which is much better than the Apple ID/Amazon attack
[20:33:50] <Damianz>	 It's sorta why 2 facter auth is there
[20:33:58] <Damianz>	 It's actually required for some higher level functions (admin level)
[20:34:15] <Damianz>	 Which is annoying on the dev site, I have a stupid amount of keys on my phone heh