<br><br><div class="gmail_quote">2011/10/14 Kévin Raymond <span dir="ltr"><<a href="mailto:shaiton@fedoraproject.org">shaiton@fedoraproject.org</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Bonjour à tous,<br>
<br>
Cette annonce circule mais au cas ou vous ne suiviez pas d'autres<br>
listes, je vous la transmet.<br>
Elle ne concerne que ceux d'entre-vous qui disposent d'un compte FAS<br>
(Fedora Account System).<br>
En gros, si vous avez un compte là : <a href="https://admin.fedoraproject.org/accounts" target="_blank">https://admin.fedoraproject.org/accounts</a><br>
<br>
Il vous faudra modifier votre mot de passe avant la fin novembre.<br>
Si vous ne le faites pas, votre compte sera désactivé et l'alias email<br>
@<a href="http://fedoraproject.org" target="_blank">fedoraproject.org</a> ne sera plus valide (je suppose).<br>
<br>
<br>
Cdt,<br>
<br>
<br>
---------- Forwarded message ----------<br>
From: Kevin Fenzi <<a href="mailto:kevin@scrye.com">kevin@scrye.com</a>><br>
Date: Wed, Oct 12, 2011 at 6:44 PM<br>
Subject: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30<br>
To: <a href="mailto:announce@lists.fedoraproject.org">announce@lists.fedoraproject.org</a>, <a href="mailto:devel-announce@lists.fedoraproject.org">devel-announce@lists.fedoraproject.org</a><br>
<br>
<br>
Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30<br>
<br>
Summary:<br>
<br>
All existing users of the Fedora Account System (FAS) at<br>
<a href="https://admin.fedoraproject.org/accounts" target="_blank">https://admin.fedoraproject.org/accounts</a> are required to change their<br>
password and upload a NEW ssh public key before 2011-11-30.<br>
Failure to do so may result in your account being marked inactive.<br>
Passwords changed and NEW ssh public keys uploaded after 2011-10-10<br>
will meet this requirement.<br>
<br>
Backgound and reasoning:<br>
<br>
This change event has NOT been triggered by any specific compromise or<br>
vulnerability in Fedora Infrastructure. Rather, we believe, due to the<br>
large number of high profile sites with security breaches in recent<br>
months, that this is a great time for all Fedora contributors and users<br>
to review their security settings and move to "best practices" on their<br>
machines. Additionally, we are putting in place new rules for passwords<br>
to make them harder to guess.<br>
<br>
New Password Rules:<br>
<br>
* Nine or more characters with lower and upper case letters, digits and<br>
punctuation marks.<br>
* Ten or more characters with lower and upper case letters and digits.<br>
* Twelve or more characters with lower case letters and digits<br>
* Twenty or more characters with all lower case letters.<br>
* No maximum length.<br>
<br>
Some Do's and Don'ts:<br>
<br>
* NEVER store your ssh private key on a shared or public system.<br>
* ALWAYS use a strong passphrase on your ssh key.<br>
* If you must store passwords, use an application specifically for this<br>
purpose like revelation, gnome-keyring, seahorse, or keepassx.<br>
* Regularly apply your operating system's security related updates.<br>
* Only use ssh agent forwarding when needed ( .ssh/config:<br>
"ForwardAgent no")<br>
* DO verify ssh host keys via dnssec protected dns. ( .ssh/config:<br>
"VerifyHostKeyDNS yes")<br>
* DO consider a seperate ssh key for Fedora Infrastructure.<br>
* Work with and use security features like SELinux and iptables.<br>
* Review the Community Standard Infrastructure security document (link<br>
below)<br>
<br>
Q&A:<br>
<br>
Q: My password and ssh private key are fine and secure!<br>
Can't I just skip this change?<br>
<br>
No. We believe the new guidelines above provide an added measure of<br>
security compared to the previous requirements. We want all users of<br>
our infrastructure to follow the new guidelines to improve one aspect<br>
of security across the systems they share. Awareness is also an<br>
aspect of good security. By requiring these changes, we also hope to<br>
maintain and improve awareness of the process for changing passwords<br>
and keys.<br>
<br>
Q: Can I just change my password and re-upload my same ssh public key?<br>
Or upload a bogus ssh public key and then re-upload my old one?<br>
<br>
A: No. We've installed safeguards to ensure that your new ssh public<br>
key is different from your old one. Additionally, some of our<br>
contributors may have had accounts on compromised high profile Linux<br>
sites recently, and we want to make sure no ssh private keys or<br>
passwords used in Fedora Infrastructure were obtained via those<br>
incidents.<br>
<br>
Q: This is a hassle. How often is this going to happen?<br>
<br>
A: The last mass password change in Fedora was more than 3 years ago.<br>
Absent a triggering event, these mass changes will be infrequent.<br>
<br>
Q: The new password length requirements/rules are too strict.<br>
How will I remember passwords that are that long?<br>
<br>
A: You can employ a password storage application (see above), or<br>
use a method like diceware (see below), or construct a memorable<br>
sentence or phrase.<br>
<br>
Q: How do I generate a new ssh key? How do I use it for just Fedora<br>
hosts?<br>
<br>
A: See <a href="http://fedoraproject.org/wiki/Cryptography" target="_blank">http://fedoraproject.org/wiki/Cryptography</a> and use a<br>
~/.ssh/config file to match <a href="http://fedoraproject.org" target="_blank">fedoraproject.org</a> hosts for that key.<br>
<br>
Q: I never uploaded a ssh key to the Fedora Account System, nor am I<br>
in a group that needs one, do I still have to upload a new one?<br>
<br>
A: No. If you don't have a ssh public key uploaded or desire to do so,<br>
you can just change your password.<br>
<br>
More reading:<br>
<br>
<a href="http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-single/" target="_blank">http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-single/</a><br>
<a href="https://fedoraproject.org/wiki/Infrastructure_mass_password_update" target="_blank">https://fedoraproject.org/wiki/Infrastructure_mass_password_update</a><br>
<a href="http://xkcd.com/936/" target="_blank">http://xkcd.com/936/</a><br>
<a href="http://www.iusmentis.com/security/passphrasefaq/" target="_blank">http://www.iusmentis.com/security/passphrasefaq/</a><br>
<a href="http://world.std.com/%7Ereinhold/diceware.html" target="_blank">http://world.std.com/~reinhold/diceware.html</a><br>
<a href="http://fedoraproject.org/wiki/Cryptography" target="_blank">http://fedoraproject.org/wiki/Cryptography</a><br>
<br>
--<br>
announce mailing list<br>
<a href="mailto:announce@lists.fedoraproject.org">announce@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/announce" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/announce</a><br>
<font color="#888888"><br>
<br>
<br>
--<br>
Kévin Raymond<br>
User:shaiton<br>
GPG-Key: A5BCB3A2<br>
</font><br>--<br>
trans-fr mailing list<br>
<a href="mailto:trans-fr@lists.fedoraproject.org">trans-fr@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/trans-fr" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/trans-fr</a><br></blockquote></div><br><br>Merci Kevin je n'avais pas vu passer ce mail...<br>
<br>Mais, d'après l’annonce en anglais, il faut également télécharger une nouvelle clé ssh.<br><br>