Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2011-10-12 at 10:53 -0700, Adam Williamson wrote:
> On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
> 
> > I have no problem with changing the password, but leave my ssh keys
> > alone, unless there is a real reason to ask people to change them.
> 
> Reading between the lines of recent attacks, it seems likely that
> private keys compromised in some of the attacks were used to perform
> others. (No-one's come out and officially said this yet but it seems
> pretty obvious from the subtext of some of the reports; I'm thinking
> kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that
> some people may have used the same identities on some of the other
> compromised systems as they are using on FAS, and hence it seems pretty
> reasonable to require this change.

And forcing a key change improves the situation exactly how ?

If a key is compromised is because the attacker has access to
compromised key, which reasonably, means that new keys will be as
compromised if they are being used on the same system as before.

OTOH with a massive key change you have no reasonable way to monitor
suspicious key replacement activity. Remember that ssh keys can be
uploaded by simply knowing the FAS account password which is arguably
much simpler to snatch as we have many systems that require such
passwords in various different ways.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux