On Thu, Oct 13, 2011 at 09:14:46AM +0100, Richard W.M. Jones wrote: > On Wed, Oct 12, 2011 at 02:59:31PM -0500, Mike McGrath wrote: > > 2) We've found PRIVATE keys on our servers > > By all means educate these users with a large clue-stick. > The problem is this: Fedora contributors are a group of technically minded people that we think should know better. Fedora contributors in the sysadmin groups (needed to have shells on these machines) are an even more technically and security minded group that should know even better. Yet that select group of people are making a very bad mistake. We can (and have) identified these people and hit them with the clue stick. What we cannot do is audit kernel.org, linux.com, etc, and find out what technically minded users that we have in common are made a similar mistake on their systems and then hit *them* with a cluestick. Which is not to place blame on those other sites for withholding information; we've never revealed similar information. Debian didn't reveal that level of information after their intrusion either. But what does that lack of information leave us with? A whole lot of ssh keys that may or may not have had their private keys on a compromised host with no way of telling who's who. We don't even know if one of the keys was known to have been used in the kernel.org and linux.com compromises. If the users in question are on a long hiatus for Fedora work, those keys might never be changed even if the user has been hit with a cluestick on kernel.org. So what are our admins to do? 1) We could ignore the issue. We have a lot of contributors. Maybe we should just expect that some of their accounts are going to be compromised. 2) We could require everyone to change keys. 3) You might have the information necessary to get us a list of our users whose accounts or keys were potentially compromised on other people's systems. If so, it might be reasonable to filter for just those people. OTOH, if someone is out there purposefully targetting open source sites, perhaps too much caution is better than too little. -Toshio
Attachment:
pgpgirwNEwRbP.pgp
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
