On Wed, Oct 12, 2011 at 7:01 PM, drago01 <drago01@xxxxxxxxx> wrote: > On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson <awilliam@xxxxxxxxxx> wrote: >> On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote: >> >>> I have no problem with changing the password, but leave my ssh keys >>> alone, unless there is a real reason to ask people to change them. >> >> Reading between the lines of recent attacks, it seems likely that >> private keys compromised in some of the attacks were used to perform >> others. (No-one's come out and officially said this yet but it seems >> pretty obvious from the subtext of some of the reports; I'm thinking >> kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that >> some people may have used the same identities on some of the other >> compromised systems as they are using on FAS, and hence it seems pretty >> reasonable to require this change. > > Not really unless there is any evidence pointing towards that > direction it is just paranoia. > Given the number of FAS account you can pretty much always assume that > some account may be compromised but that's not enough to warrant any > action. By that logic we should be changing keys daily .... And people are complaining about the fact that the last time it happened was 3 years ago. At work I have to do it every 60 days. Peter -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
