On 10/12/11 19:53, Adam Williamson wrote: > On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote: > >> I have no problem with changing the password, but leave my ssh keys >> alone, unless there is a real reason to ask people to change them. > > Reading between the lines of recent attacks, it seems likely that > private keys compromised in some of the attacks were used to perform > others. (No-one's come out and officially said this yet but it seems > pretty obvious from the subtext of some of the reports; I'm thinking > kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that > some people may have used the same identities on some of the other > compromised systems as they are using on FAS, and hence it seems pretty > reasonable to require this change. I don't think so. People which have found their system compromised most likely already have replaced all the ssh keys -> fine. People which have not been compromised can continue to use the old keys without problems. For people which are compromised but didn't notice (and thus still running a compromised system) the key change buys not much as the new keys likely will be compromised too. cheers, Gerd -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
