On Wed, 2011-10-12 at 13:06 -0500, Jon Ciesla wrote: > > On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote: > >> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote: > >> > On 12 October 2011 17:44, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > >> > > All existing users of the Fedora Account System (FAS) at > >> > > https://admin.fedoraproject.org/accounts are required to change > >> their > >> > > password and upload a NEW ssh public key before 2011-11-30. > >> > > >> > I have to upload a *new* public key? Why should I have two sets of > >> keys? > >> > >> Meant 'replacement'. You can only have one key in FAS, afaict. > > > > > > You can have more than one. Just paste them in place all together. > > > > > > And we're verifying key changes by checking the fingerprint of the > > pubkeys vs your prior ones. > > It's really not a huge hassle. I've already done it. I configured the > .ssh/config files where I needed to, and it doesn't conflict with any > other keys I have. I don't get what the big deal is. The disruption is, > like, five minutes of work. The potential benefit is unknown, but > certainly not zero. > > Why wait for a breach to do this? This is a perfect time. Doing it > after the 2008 breach was wise. This is better. A breach won't compromise my actual keys even if it happened now or a year ago. Plus there are limitations on how many keys (and passpharases I can remember, especially for stuff I use less often). Plus there are limitation about how many keys ssh/ssh-agent can use before failing to log you in no matter what. Compound all this. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
