> ons 2011-10-12 klockan 13:49 -0600 skrev Kevin Fenzi: > >> If you can't change your token, then I would posit you have a problem. >> What if you KNEW your private key was compromised? Surely there is a >> way to generate a new one... > > I can change it, but it means changing it for all sytems I access using > that SSH token, not only Fedora. And as hard token keys is not easily > compromised without the token as such being stolen it's not something > you normally do. Well, no, actually it just means you just need to use a different key for Fedora. There's no reason you can't keep using that key everywhere else you're using it. -J > A compromise of the hard token key without the token as such being > stolen together with the access code would require a bruteforce of the > RSA key in question. > >> Please feel free to jump in and help code such changes. :) >> We are a open source infrastructure and I'm sure patches and ideas even >> would be welcome. > > Point taken. And something I been considering many times but not gotten > the whole way to doing. Getting there is quite far away for someone not > already woring on the infrastructure. > > The tools needed already esists. The question is how to get the > infrastructure to use them. > >> > But even then, the security of Fedora accounts is no stronger than the >> > security of the email associated with an account. Quite pointless to >> > try to bolster the security very high when all that is needed to take >> > over a standard Fedora account is to have access to the email >> > (account or traffic) of the Fedora account. Sure, a full account >> > takeover is more likely to get noticed than a stolen password, but it >> > still sets the level of expected security. >> >> Yeah, ideally we would do more here with gpg. > > Yes. Once there is a GPG or SSH key installed in the FAS account then > those should take preference over the email as "account owner key", and > resetting the account should not be possible with a plain text email > alone. If the GPG and SSH keys is both lost then administrator action > should be needed to reset the account and verifying credibility of the > account owner. > > Regards > Henrik > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > -- in your fear, seek only peace in your fear, seek only love -d. bowie -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
