> On Wed, 2011-10-12 at 13:25 -0500, Jon Ciesla wrote: >> > On Wed, 2011-10-12 at 13:06 -0500, Jon Ciesla wrote: >> >> > On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote: >> >> >> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote: >> >> >> > On 12 October 2011 17:44, Kevin Fenzi <kevin@xxxxxxxxx> wrote: >> >> >> > > All existing users of the Fedora Account System (FAS) at >> >> >> > > https://admin.fedoraproject.org/accounts are required to >> change >> >> >> their >> >> >> > > password and upload a NEW ssh public key before 2011-11-30. >> >> >> > >> >> >> > I have to upload a *new* public key? Why should I have two sets >> of >> >> >> keys? >> >> >> >> >> >> Meant 'replacement'. You can only have one key in FAS, afaict. >> >> > >> >> > >> >> > You can have more than one. Just paste them in place all together. >> >> > >> >> > >> >> > And we're verifying key changes by checking the fingerprint of the >> >> > pubkeys vs your prior ones. >> >> >> >> It's really not a huge hassle. I've already done it. I configured >> the >> >> .ssh/config files where I needed to, and it doesn't conflict with any >> >> other keys I have. I don't get what the big deal is. The disruption >> >> is, >> >> like, five minutes of work. The potential benefit is unknown, but >> >> certainly not zero. >> >> >> >> Why wait for a breach to do this? This is a perfect time. Doing it >> >> after the 2008 breach was wise. This is better. >> > >> > A breach won't compromise my actual keys even if it happened now or a >> > year ago. >> >> Unless the breach alters a package that gets pushed to your machine and >> snarfs your keys. </devilsadvocate> > > That's possible, at which point I will have to change all my keys. > But unless the machine is reinstalled first, it will make no difference, > new keys will be snarfed again as soon as they are created. > >> > Plus there are limitations on how many keys (and passpharases I can >> > remember, especially for stuff I use less often). >> >> keepassx. > > By rule ssh and gpg keys passphrases exist only in my memory. > No chance of writing them down. > >> > Plus there are limitation about how many keys ssh/ssh-agent can use >> > before failing to log you in no matter what. >> >> If your client config knows what key to use for what host, and you know >> the password, I fail to see the problem. Plus, you could have multiple >> keys, all with the same passphrase, for different things, should you so >> desire. > > Using the same passphrase for different keys is the same as using the > same password for different websites. If I am protecting the keys the > same way I can as well use the same keys everywhere, unless projects set > up insane rules about how to handle my own keys. I wasn't suggesting it was a good idea, I was suggesting that it was a tradeoff one could make in favor of convenience. I don't, personally. -J > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- in your fear, seek only peace in your fear, seek only love -d. bowie -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
