On Mon, 2011-09-12 at 10:40 -0600, Kevin Fenzi wrote: > Some random thoughts/considerations: > > * We could also change fas password requirements at this time. > We have: https://fedorahosted.org/fedora-infrastructure/ticket/2804 > where we agreed with: > > - Nine or more characters with lower and upper case letters, digits and > punctuation marks. > > - Ten or more characters with lower and upper case letters and digits. > > - Twelve or more characters with lower case letters and digits. So - I am sure I'm not the only one who does this - but how about mandating pass PHRASES and make the minimum length be 40 characters? Mary_had_a_little_lamb_whose_fleece_was_white_as_snow would work just fine and should be substantially harder to crack :) (/me is all about making friends today, apparently) > * user certs and passwords are pretty quick and easy to change. Some > people may object to ssh keys being changed, so I think we need to > present clear reasoning on it. Perhaps: > > "While your ssh private key is hopefully secure, we would like you to > take this chance to generate a new one and review your passphrase, key > size and type and consider a separate key for fedora access. In the > event your old private key was transferred or backed up to a system you > may no longer realize it's still stored on, a new private key will > allow you to confirm and review it's setup and storage." > > * We may have some users who have email on the affected systems (ie, > kernel.org, linux.com, etc). Should we wait for those systems to be > back up before taking action? They should be able to login and change > their email in fas, but they may be unaware of the need to do so. This sounds reasonable - though perhaps we should isolate that set of users now and give their accounts an extra scouring. :) > * For timing, we want to make sure this won't affect maintainers too > much working on the release. Perhaps the deadline should be F16 > release? or is that too far out? I'd be inclined for sooner than later but <shrug> > > * We could also be more strict with all users in the 'sysadmin*' > groups perhaps. Ie, a shorter timeline for them to change things. Or > make them the only group thats required to change and just suggest to > other groups they do so. This sounds good. > * Users who fail to meet the deadline would be marked 'inactive' ? What > would they need to do to re-activate? Just login and upload a new > key/change password? well "login" might be hard. I suspect we just nuke their ssh keys so they cannot login to any shell w/o first getting into the fas. > > * How many users do we have with ssh keys uploaded? 3728 users on fedorapeople.org That's fpca + 1 group. 1776 on fedorahosted.org - I've not checked for overlap there, obviously. -sv _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
