Create Task
Maniphest T425815

Bastion immediately dropping SSH connection (LDAP sync issue?)
Closed, ResolvedPublic
Actions

Description

I recently created the new Cloud VPS project thelounge (T424443) and linked my SUL/IDM account (Shell username: jony).

My instance is running perfectly and my SSH keys are verified in IDM. However, the Bastion server is instantly dropping my connection right after successful key verification.

I have confirmed that I am actively listed as a reader of the project on the Horizon dashboard here: https://horizon.wikimedia.org/project/member/

Because the Horizon dashboard recognizes my membership but the Bastion drops the connection, I suspect my shell account hasn't been properly synced to the Bastion's local access list (LDAP/PAM sync issue).

I have tested from PowerShell and Git Bash. Here are my verbose logs showing the immediate drop:

text
debug1: Authenticating to bastion.wmcloud.org:22 as 'jony'
debug1: Offering public key: C:\Users\Z-Book\.ssh\id_ed25519 explicit
debug1: Server accepts key: C:\Users\Z-Book\.ssh\id_ed25519 explicit
Connection closed by 185.15.56.16 port 22

Related Objects
Search...

Event Timeline

Jony created this task.Fri, May 8, 7:30 PM
Restricted Application added a project: cloud-services-team. · View Herald TranscriptFri, May 8, 7:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Reedy subscribed.EditedSat, May 9, 4:24 PM

You're not a member of project-bastion though - https://ldap.toolforge.org/user/jony

Not sure if you've applied, or whether it's been approved, but that's via https://toolsadmin.wikimedia.org/tools/membership/apply

JJMC89 added a parent task: T379550: openstack: keystone may be failing to add users to the bastion project in Keystone and/or LDAP.Sat, May 9, 4:33 PM
JJMC89 removed a project: VPS-Projects.
JJMC89 subscribed.

another occurrence of T379550 - the project-bastion membership is missing

Jony added a comment.Sat, May 9, 5:37 PM

Hi @Reedy and @JJMC89, I was actually approved for Toolforge membership back in 2019 by BryanDavis (Request #478).

As JJMC89 pointed out with the T379550 bug, it looks like Keystone simply failed to add my already-approved jony account to the project-bastion LDAP group when my new Cloud VPS project was created.

Since the automated system failed, could an admin please manually add jony to the project-bastion LDAP group so I can SSH into my server? Thank you!

Novem_Linguae subscribed.Sat, May 9, 5:41 PM
Andrew closed this task as Resolved.Mon, May 11, 1:23 PM
Andrew claimed this task.
Andrew subscribed.

This should be fixed now. Sorry for the confusion!

Jony added a comment.EditedMon, May 11, 5:49 PM

Hi @Andrew, thank you so much for fixing the Bastion access. I am finally in the server! However, it looks like the setup bug also failed to scaffold the ou=sudoers directory for my project in LDAP. When I try to view or add rules in the Horizon "Project Sudo" tab, it throws the following LDAP error:

text
Error: Unable to retrieve sudo rules. Details
{'msgtype': 101, 'msgid': 2, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'matched': 'ou=projects,dc=wikimedia,dc=org'}

Because of this, I am getting a jony is not allowed to run sudo on lounge-server error on the instance itself. Could you please manually scaffold the sudoers OU for the thelounge project so I can grant myself access and run updates? Thank you again for all the help!

Jony reopened this task as Open.Wed, May 13, 12:58 AM
Andrew added a comment.Wed, May 13, 2:14 PM
However, it looks like the setup bug also failed to scaffold the ou=sudoers directory

Indeed, this was pretty broken. I've added the necessary parts by hand so you should have some reasonable default sudo rules now.

Andrew closed this task as Resolved.Wed, May 13, 2:15 PM
Jony added a comment.Wed, May 13, 7:17 PM

Hi Andrew, Great! https://chat.wmcloud.org is now officially live! The migration is completed, and the service is running smoothly on Wikimedia Cloud. We still have a lot of work to do regarding the home page customization, legal documentation, and developer stats before it's ready for public use, but the core infrastructure is solid. Thanks for the support in getting this launched!

Jony added a project: WikiLounge.Fri, May 15, 10:20 AM
Jony added a parent task: T424443: Request creation of thelounge Cloud VPS project.
Jony moved this task from Inbox to Technical on the WikiLounge board.Fri, May 15, 10:47 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits