diff --git a/roles/fas_server/tasks/main.yml b/roles/fas_server/tasks/main.yml
index 67f159490f..f5fd464006 100644
--- a/roles/fas_server/tasks/main.yml
+++ b/roles/fas_server/tasks/main.yml
@@ -41,10 +41,10 @@
   tags:
   - config
 
-- name: install $pythonsitelib/fas/config/log.cfg 
+- name: install pythonsitelib/fas/config/log.cfg 
   copy: >
     src="fas-log.cfg"  
-    dest="$pythonsitelib/fas/config/log.cfg"  # $pythonsitelib=?
+    dest="/usr/lib/python2.6/site-packages/fas/config/log.cfg"
     owner=root
     group=root
     mode=0644
diff --git a/roles/fas_server/templates/fas.cfg.j2 b/roles/fas_server/templates/fas.cfg.j2
index e21ccf4d21..ed2f3d7846 100644
--- a/roles/fas_server/templates/fas.cfg.j2
+++ b/roles/fas_server/templates/fas.cfg.j2
@@ -156,9 +156,9 @@ visit.cookie.httponly = True
 
 # Database
 {% if env == "staging" %}
-sqlalchemy.dburi="postgres://fas:<%= fasDbPassword %>@db-fas.stg/fas2"
+sqlalchemy.dburi="postgres://fas:{{ fasDbPassword }}@db-fas.stg/fas2"
 {% else %}
-sqlalchemy.dburi="postgres://fas:<%= fasDbPassword %>@db-fas/fas2"
+sqlalchemy.dburi="postgres://fas:{{ fasDbPassword }}@db-fas/fas2"
 {% endif %}
 sqlalchemy.echo=False
 # When using wsgi, we want the pool to be very low (as a separate instance is
@@ -186,11 +186,11 @@ mail.manager = 'demand'
 # Enable yubikeys
 yubi_server_prefix='http://localhost/yk-val/verify?id='
 {% if env == "staging" %}
-ykksm_db="postgres://ykksmimporter:<%= ykksmimporterPassword %>@db-fas01.stg/ykksm"
-ykval_db="postgres://ykval_verifier:<%= ykval_verifierPassword %>@db-fas01.stg/ykval"
+ykksm_db="postgres://ykksmimporter:{{ ykksmimporterPassword }}@db-fas01.stg/ykksm"
+ykval_db="postgres://ykval_verifier:{{ ykval_verifierPassword }}@db-fas01.stg/ykval"
 {% else %}
-ykksm_db="postgres://ykksmimporter:<%= ykksmimporterPassword %>@db-ykksm/ykksm"
-ykval_db="postgres://ykval_verifier:<%= ykval_verifierPassword %>@db-ykval/ykval"
+ykksm_db="postgres://ykksmimporter:{{ ykksmimporterPassword }}@db-ykksm/ykksm"
+ykval_db="postgres://ykval_verifier:{{ ykval_verifierPassword }}@db-ykval/ykval"
 {% endif %}
 
 # Enable or disable generation of SSL certificates for users
@@ -220,7 +220,7 @@ gpghome = "/etc/fas-gpg"
 # Note: gpg_fingerprint and gpg_passphrase are for encrypting password reset mail if the user has
 # a gpg key registered.  It's currently broken
 gpg_fingerprint = "7662 A6D3 4F21 A653 7BD4  BA64 20A0 8C45 4A0E 6255"
-gpg_passphrase = "<%= fasGpgPassphrase %>"
+gpg_passphrase = "{{ fasGpgPassphrase }}"
 gpg_keyserver = "hkp://subkeys.pgp.net"
 
 [/fedora-server-ca.cert]
diff --git a/roles/fas_server/templates/yubikey-remove.py.j2 b/roles/fas_server/templates/yubikey-remove.py.j2
new file mode 100755
index 0000000000..8364d01168
--- /dev/null
+++ b/roles/fas_server/templates/yubikey-remove.py.j2
@@ -0,0 +1,62 @@
+#!/usr/bin/python -tt
+
+import sys
+
+import psycopg2
+
+
+FAS_HOST = "db-fas"
+YKKSM_HOST = "db-ykksm"
+YKVAL_HOST = "db-ykksm"
+FAS_USER = "fas"
+FAS_PASS = "{{ fasDbPassword }}"
+YKKSM_USER = "ykksmimporter"
+YKKSM_PASS = "{{ ykksmimporterPassword }}"
+YKVAL_USER = "ykval_verifier"
+YKVAL_PASS = "{{ ykval_verifierPassword }}"
+
+fasdb = None
+yk_ksmdb = None
+yk_valdb = None
+
+def usage():
+    usage = '''
+    fas-yubiremove [USERNAME1 [USERNAME2 [...]]]
+
+    Remove existing yubikey for the listed USERNAMEs.
+    '''.strip()
+    print usage
+
+
+def init():
+    global fasdb, yk_ksmdb, yk_valdb
+    fasdb = psycopg2.connect("user='%s' password='%s' host='%s' dbname='fas2'" % (FAS_USER, FAS_PASS, FAS_HOST))
+    yk_ksmdb = psycopg2.connect("user='%s' password='%s' host='%s' dbname='ykksm'" % (YKKSM_USER, YKKSM_PASS, YKKSM_HOST))
+    yk_valdb = psycopg2.connect("user='%s' password='%s' host='%s' dbname='ykval'" % (YKVAL_USER, YKVAL_PASS, YKVAL_HOST))
+
+
+def main():
+    init()
+    # Get username from commandline
+    usernames = sys.argv[1:]
+    # get the yubikey for the user from the fas configs db
+    for username in usernames:
+
+        fas = fasdb.cursor()
+        fas.execute("select value from configs, people where people.id = configs.person_id and username=%s and application = 'yubikey' and attribute = 'prefix'", (username,))
+        prefix = fas.fetchall()[0]
+        # Remove the keys from the yubikey database
+        yk_ksm = yk_ksmdb.cursor()
+        yk_ksm.execute('delete from yubikeys where publicname=%s', (prefix[0],))
+        yk_val = yk_valdb.cursor()
+        yk_val.execute('delete from yubikeys where yk_publicname=%s', (prefix[0],))
+
+        # Remove the key from fas
+        fas.execute("delete from configs where person_id = (select id from people where username=%s) and application = 'yubikey'", (username,))
+
+        yk_valdb.commit()
+        yk_ksmdb.commit()
+        fasdb.commit()
+
+if __name__ == '__main__':
+    sys.exit(main())
diff --git a/roles/fedimg/templates/fedmsg.d/fedimg.py b/roles/fedimg/templates/fedmsg.d/fedimg.py
index 2b4c6a6118..b5a3f141a6 100644
--- a/roles/fedimg/templates/fedmsg.d/fedimg.py
+++ b/roles/fedimg/templates/fedmsg.d/fedimg.py
@@ -17,8 +17,17 @@
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 #
 # Authors:  David Gay <dgay@redhat.com>
+#           Ralph Bean <rbean@redhat.com>
 #
 
 config = dict(
     kojiconsumer=True,
+    {% if env == 'staging' %}
+    # Establish a loop from production back into the staging instance.
+    endpoints = {
+        "production-loopback": [
+            "tcp://hub.fedoraproject.org:9940",
+        ],
+    },
+    {% endif %}
 )