Procedure to remove access to a sysadmin

Removing ssh root access to server from puppet

• take a checkout of the puppet config ( ssh://git.mageia.org/infrastructure/puppet )
• go to deployment/common/manifests/
• edit default_ssh_root_key.pp and search the key of the admin in the file, for example :

       ssh_authorized_key { "ssh_key_example":
           type => "ssh-rsa",
           key => "XXXXX"
       }

• make sure the key is marked as 'ensure => "absent"' ( Just removing from puppet will not be enough, as the key is not really removed from the file, and thus there is still access )

• commit and push
• connect on valstar, and apply manifests ( puppetd --test ). While we should make sure that all servers are secured, valstar is the most critical and should be handled as soon as possible.

Removing access on various services

We use the mga-sysadm group for granting access of system admins. So to remove someone access, we should simply remove him from the group. For that, connect to the ldap directory on valstar and remove him from cn=mga-sysadmin,ou=Group,dc=mageia,dc=org.

If the system administrator wish to keep his email alias, he can do so by being added to the mga-alumni group in ldap.

Some services may requires more information or more time before being effective. For exemple, the group synchronisation on transifex use a cache, as does sympa. So some

Change the password of servers and various hosted services

Since people tend to keep copy of the various password, a proper security would need to change them. TODO : add a list of service to check, and how to change password.