FW: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----- Forwarded message from Kevin Fenzi <kevin@xxxxxxxxx> -----

Date: Wed, 12 Oct 2011 10:44:40 -0600
From: Kevin Fenzi <kevin@xxxxxxxxx>
To: announce@xxxxxxxxxxxxxxxxxxxxxxx, devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
X-Mailer: Claws Mail 3.7.10 (GTK+ 2.24.6; x86_64-redhat-linux-gnu)

Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Summary: 

All existing users of the Fedora Account System (FAS) at 
https://admin.fedoraproject.org/accounts are required to change their 
password and upload a NEW ssh public key before 2011-11-30. 
Failure to do so may result in your account being marked inactive. 
Passwords changed and NEW ssh public keys uploaded after 2011-10-10 
will meet this requirement. 

Backgound and reasoning: 

This change event has NOT been triggered by any specific compromise or 
vulnerability in Fedora Infrastructure. Rather, we believe, due to the 
large number of high profile sites with security breaches in recent
months, that this is a great time for all Fedora contributors and users
to review their security settings and move to "best practices" on their
machines. Additionally, we are putting in place new rules for passwords
to make them harder to guess. 

New Password Rules: 

* Nine or more characters with lower and upper case letters, digits and
  punctuation marks.
* Ten or more characters with lower and upper case letters and digits.
* Twelve or more characters with lower case letters and digits
* Twenty or more characters with all lower case letters. 
* No maximum length. 

Some Do's and Don'ts: 

* NEVER store your ssh private key on a shared or public system. 
* ALWAYS use a strong passphrase on your ssh key. 
* If you must store passwords, use an application specifically for this
  purpose like revelation, gnome-keyring, seahorse, or keepassx. 
* Regularly apply your operating system's security related updates. 
* Only use ssh agent forwarding when needed ( .ssh/config:
  "ForwardAgent no") 
* DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
  "VerifyHostKeyDNS yes")
* DO consider a seperate ssh key for Fedora Infrastructure.
* Work with and use security features like SELinux and iptables. 
* Review the Community Standard Infrastructure security document (link
  below)

Q&A:

Q: My password and ssh private key are fine and secure! 
Can't I just skip this change?

No.  We believe the new guidelines above provide an added measure of
security compared to the previous requirements.  We want all users of
our infrastructure to follow the new guidelines to improve one aspect
of security across the systems they share.  Awareness is also an
aspect of good security.  By requiring these changes, we also hope to
maintain and improve awareness of the process for changing passwords
and keys.

Q: Can I just change my password and re-upload my same ssh public key? 
Or upload a bogus ssh public key and then re-upload my old one?

A: No. We've installed safeguards to ensure that your new ssh public
key is different from your old one. Additionally, some of our
contributors may have had accounts on compromised high profile Linux
sites recently, and we want to make sure no ssh private keys or
passwords used in Fedora Infrastructure were obtained via those
incidents. 

Q: This is a hassle. How often is this going to happen?

A: The last mass password change in Fedora was more than 3 years ago.
Absent a triggering event, these mass changes will be infrequent. 

Q: The new password length requirements/rules are too strict.
How will I remember passwords that are that long?

A: You can employ a password storage application (see above), or 
use a method like diceware (see below), or construct a memorable
sentence or phrase. 

Q: How do I generate a new ssh key? How do I use it for just Fedora
hosts?

A: See http://fedoraproject.org/wiki/Cryptography and use a
~/.ssh/config file to match fedoraproject.org hosts for that key. 

Q: I never uploaded a ssh key to the Fedora Account System, nor am I 
in a group that needs one, do I still have to upload a new one?

A: No. If you don't have a ssh public key uploaded or desire to do so, 
you can just change your password. 

More reading:

http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-single/
https://fedoraproject.org/wiki/Infrastructure_mass_password_update
http://xkcd.com/936/
http://www.iusmentis.com/security/passphrasefaq/
http://world.std.com/~reinhold/diceware.html
http://fedoraproject.org/wiki/Cryptography



- -- 
announce mailing list
announce@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/announce


- ----- End forwarded message -----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOlk/lAAoJEIB2q94CS7PRYbcP/Aixsu7b6B0jWSEsGD/Addkd
l/E0hp4fUcNh8uttCarin29+bPc3kgBVf7qAvYFTNlpfkLM5lojmVsob2AzKtcOp
DEKP0D4EwlE2kpjeoQihYJ6qN/zw9V54JtkwcoZihzI9qpuMIQMWEPY5jcdATmyp
8ItJYbivZJ3JDHiRXcF+ohOBkrvYOjMFSYRnhun6I1IYyYSfE5UCl2YylxtDrye7
zpAzMkVDVFHnyQS6wlLURwDNKJnyj8KJpwh69P7ibvM4aeMDBFlN6Zr/pQxXYgxP
Lk4zhkfpzIwkuIj/b5PiVJl8FOx7lCPhSaCbgqhxn+r/+HwddLp5jQlvKsI6ieL5
N3WNx7YB7gCuyUL+bzKmaVmDGw1GFLlgeRpusHZDFi6OBPWQNMwbalAOMZ/gNnrw
oxYcQ/msTOduT4Lt4LcgopgCYiHD4CasalGCqOknm7aOj1uSjsnh/61AWec5Bsu2
S4eHgf9XWYyQ8LfBiwjdnnYulQ00SaELW/eh3EaZE41hg/sngFar9TvQp4Ecy+g8
x7Wyg1ZylQV5U28FVuxsnNvtww7RoFTS7p4THXHK2qW3EsrA8h+gCylr9IuEph4q
ocIj+QjxQrSHJ3FT0yA5NuriKgy7T9srZwRqTQtFOf1YcVN55PiclraiPscpLiWP
aSstmFfw73FlsBtfGefm
=3Xxn
-----END PGP SIGNATURE-----
-- 
docs mailing list
docs@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe: 
https://admin.fedoraproject.org/mailman/listinfo/docs


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Red Hat 9]     [Yosemite News]     [KDE Users]

  Powered by Linux