I know at one point I was forced to change my FAS password. I don't know how it was accomplished, but it was. The message itself looks good to me. You get these two characters (not including space): +1 Darren VanBuren ================== http://theoks.net/ On Fri, Oct 7, 2011 at 09:17, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > Greetings. > > Here's what I have so far on an announcement for the mass password > change/ssh key change. Suggestions for improvement very welcome. In > particular more resources we could point people to, or common questions > you think people will come up with that we could answer would be great. > > Also, we need to decide what exactly we do to accounts that fail to > meet the deadline. Are we just marking them inactive? Do we have any > way to force them to change the password and upload a new key if they > reactivate the account? > > kevin > -- > DRAFT DRAFT DRAFT > Subject: IMPORTANT: Manditory password and ssh key change by 2011-11-30 > > Summary: > > All existing users of the Fedora Account System (FAS) at > https://admin.fedoraproject.org/accounts are required to change their > password and upload a NEW ssh public key by 2011-11-30. Failure to do so > may result in your account being marked inactive. > > Backgound and reasoning: > > This change event has NOT been triggered by any specific compromise or > vulnerability in Fedora Infrastructure, rather we feel that due to the > large number of high profile sites with security breaches in recent > months that this is a great time for all Fedora contributors and users > to review their security settings and move to "best practices" on their > machines. Additionally, we are putting in place new rules for passwords > to increase their entropy and make them less guessable. > > New Password Rules: > > * Nine or more characters with lower and upper case letters, digits and > punctuation marks. > * Ten or more characters with lower and upper case letters and digits. > * Twelve or more characters with lower case letters and digits > * Twenty or more characters with all lower case letters. > * No maximum length. > > Some Do's and Don'ts: > > * NEVER store your ssh private key on a shared or public system. > * ALWAYS use a strong passphrase on your ssh key. > * if you must store passwords, use a application specifically for this > purpose like revelation, gnome-keyring, seahorse, or keepassx. > * Regularly apply your OSes security related updates. > * Only use ssh agent forwarding when needed ( .ssh/config: > "ForwardAgent no") > * DO verify ssh host keys via dnssec protected dns. ( .ssh/config: > "VerifyHostKeyDNS yes") > * DO consider a seperate ssh key for Fedora Infrastructure. > * Work with and use security features like SELinux and iptables. > * Review the Community Standard Infrastructure security document (link > below) > > Q&A: > > Q: My password and ssh private key are fine and secure! Can't I just > skip this change? > > A: No. We very much hope everyone's password and ssh keys are fine, but > we would like everyone to take this chance to review security and > change things. In the event of a triggering event everyone will know > the process. > > Q: Can I just change my password and re-upload my same ssh public key? > Or upload a bogus ssh public key and then re-upload my old one? > > A: No. We will be checking to ensure that your ssh public key is > different from your old one. > > Q: This is a hassle. How often is this going to happen? > > A: The last mass password change in Fedora was more than 3 years ago. > Absent a triggering event, these mass changes will be infrequent. > > More reading: > > http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-single/ > https://fedoraproject.org/wiki/Infrastructure_mass_password_update > > _______________________________________________ > infrastructure mailing list > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/infrastructure > _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
