Access Policy

From MirahezeBotsWiki
(Redirected from Draft:Access Policy)
Jump to navigation Jump to search

Bots+Tools is the network of servers that run the real, live bots and untilis across Miraheze IRC, Discord and Wiki. Access to production is necessary for maintaining this infrastructure, as well as for accessing sensitive data. This page explains how to request and set up this access.

Remember: production access is extremely sensitive. With production access, it's possible to break our websites or steal private data about users' activities. If you have access, act carefully and take the server access responsibilities seriously. Immediately contact the Admin team if you have any doubts about security or if something goes wrong.

Eligibility

To minimize risk to our systems, only a small number of people outside of the Bots Admin Team + Miraheze SRE hold any production access, and that access is limited to what they need. All access privileges require an ongoing need for the access and to be of benefit to the community.

In order to approve your request we will need:

  • At least one comment of support from a bot administrator, explaining why it is a good idea to accept your request
  • A comment of approval from a member of the Miraheze SRE team.
  • After that, ask owen[at]miraheze.org to send you a Miraheze NDA and sign it. He will need your full legal name and address.
  • A bot administrator will ask RhinosF1 to sign the request off.
  • Have someone with access add you to the relevant area.

Generating your SSH key

Since production access uses the Secure Shell protocol (SSH), you'll have to generate a new SSH keypair. Do not reuse an existing key; this presents an unacceptable security risk.

GitHub has a good help page (note that you can switch between Mac, Windows, and Linux documentation right under the title).

We recommend that you use an 4096-bit RSA key or ecdsa key. Do not use DSA keys as they are insecure.

To generate an ED25519 key, run the following command in your terminal:

ssh-keygen -t ed25519

To generate an RSA key, run the following command in your terminal:

ssh-keygen -t rsa -b 4096 -o

Some systems don't support the newer -o option which saves private keys in a slightly more secure format (OpenSSH rather than PEM), but those should be fairly rare, it was introduced in 6.5

The minimum bit length for SSH keys is 4096, which is currently the default length for OpenSSH.

PuTTy

You can also generate keys using PuTTyGEN, to use PuTTyGEN you can follow the guide located here.

Remember: the key you use for production access must be different from the key you use for any other service including Miraheze Production.

SSH Key Requirements

  • Password must be over 16 characters, include 1 symbol, number and both upper and lower case characters.
  • RSA Keys must be 4096 bits in size or higher.
  • ed25519 public keys should be 521 bits and use -a 100. Public keys will then normally be over 2000 bits in size.
  • They must be unique.