Proposal for action: SSH Key, User Cert and Password Flag Day

Kevin Fenzi kevin at scrye.com
Mon Sep 12 16:40:46 UTC 2011 

On Mon, 12 Sep 2011 11:02:01 -0400
seth vidal <skvidal at fedoraproject.org> wrote:

> Given recent events in the linux-y world I think it might do us a
> service to impose an ssh-key, user cert and password enforced change
> flag day.
> 
> The idea would be everyone would be required to change their
> passwords, ssh keys and any user certs they have before being allowed
> to do anything else on our systems.
> 
> Anyone failing to change them would  be locked out after a specific
> date.
> 
> In particular I would like to make sure that ssh keys get changed - so
> much so that I would want to keep a copy of the existing ssh keys and
> verify that the new one does not match the old one before allowing it
> to be used.
> 
> I'd like to discuss the efficacy and timing of this. If anyone has
> perspective that is helpful, please share it.
> 
> I think this should be done soon, personally.

Some random thoughts/considerations: 

* We could also change fas password requirements at this time. 
We have: https://fedorahosted.org/fedora-infrastructure/ticket/2804
where we agreed with: 

- Nine or more characters with lower and upper case letters, digits and
  punctuation marks.

- Ten or more characters with lower and upper case letters and digits.

- Twelve or more characters with lower case letters and digits.

* user certs and passwords are pretty quick and easy to change. Some
  people may object to ssh keys being changed, so I think we need to
  present clear reasoning on it. Perhaps: 

"While your ssh private key is hopefully secure, we would like you to
take this chance to generate a new one and review your passphrase, key
size and type and consider a separate key for fedora access. In the
event your old private key was transferred or backed up to a system you
may no longer realize it's still stored on, a new private key will
allow you to confirm and review it's setup and storage."

* We may have some users who have email on the affected systems (ie,
  kernel.org, linux.com, etc). Should we wait for those systems to be
  back up before taking action? They should be able to login and change
  their email in fas, but they may be unaware of the need to do so. 

* For timing, we want to make sure this won't affect maintainers too
  much working on the release. Perhaps the deadline should be F16
  release? or is that too far out? 

* We could also be more strict with all users in the 'sysadmin*'
  groups perhaps. Ie, a shorter timeline for them to change things. Or
  make them the only group thats required to change and just suggest to
  other groups they do so. 

* Users who fail to meet the deadline would be marked 'inactive' ? What
  would they need to do to re-activate? Just login and upload a new
  key/change password? 

* How many users do we have with ssh keys uploaded?

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20110912/bd51a1b6/attachment.bin

More information about the infrastructure mailing list