On Mon, 10 Oct 2011 09:00:11 -0700 Toshio Kuratomi <a.badger@xxxxxxxxx> wrote: > I think that makring inactive will work for the password change (with > the password strength hotifix, we also no longer accept the same > password as the user last had). (Off by one we can't catch though: > old: "mustang1977" this would still be accepted: "mustang1978") So, when someone is 'inactive' they can login with their old password, but it will ask them to change it then? > New ssh key won't be caught by fas but if they repeatedly re-enable > without uploading a new ssh key, we can mark their account > admin_disabled so they have to talk to us. Yeah, we can continue to run checks periodically I guess. > Do we want to mention the specific rationale for changing both > passwords and ssh keys? 1) the recent compromised sites were Linux > related. 2) as far as disclosed the sites were attacked via > compromised accounts. 3) we have no way of knowing if any of our > users/contributors had accounts on those sites and used the same > password/ssh key with agent forwarding/uploaded a private key there. yeah, we can... let me see if I can figure out how to word that/add it, and I will send a new draft out in a few. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
