On Mon, 12 Sep 2011 11:02:01 -0400 seth vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote: > Given recent events in the linux-y world I think it might do us a > service to impose an ssh-key, user cert and password enforced change > flag day. > > The idea would be everyone would be required to change their > passwords, ssh keys and any user certs they have before being allowed > to do anything else on our systems. > > Anyone failing to change them would be locked out after a specific > date. > > In particular I would like to make sure that ssh keys get changed - so > much so that I would want to keep a copy of the existing ssh keys and > verify that the new one does not match the old one before allowing it > to be used. > > I'd like to discuss the efficacy and timing of this. If anyone has > perspective that is helpful, please share it. > > I think this should be done soon, personally. Some random thoughts/considerations: * We could also change fas password requirements at this time. We have: https://fedorahosted.org/fedora-infrastructure/ticket/2804 where we agreed with: - Nine or more characters with lower and upper case letters, digits and punctuation marks. - Ten or more characters with lower and upper case letters and digits. - Twelve or more characters with lower case letters and digits. * user certs and passwords are pretty quick and easy to change. Some people may object to ssh keys being changed, so I think we need to present clear reasoning on it. Perhaps: "While your ssh private key is hopefully secure, we would like you to take this chance to generate a new one and review your passphrase, key size and type and consider a separate key for fedora access. In the event your old private key was transferred or backed up to a system you may no longer realize it's still stored on, a new private key will allow you to confirm and review it's setup and storage." * We may have some users who have email on the affected systems (ie, kernel.org, linux.com, etc). Should we wait for those systems to be back up before taking action? They should be able to login and change their email in fas, but they may be unaware of the need to do so. * For timing, we want to make sure this won't affect maintainers too much working on the release. Perhaps the deadline should be F16 release? or is that too far out? * We could also be more strict with all users in the 'sysadmin*' groups perhaps. Ie, a shorter timeline for them to change things. Or make them the only group thats required to change and just suggest to other groups they do so. * Users who fail to meet the deadline would be marked 'inactive' ? What would they need to do to re-activate? Just login and upload a new key/change password? * How many users do we have with ssh keys uploaded? kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
