On Mon, 2011-09-12 at 10:40 -0600, Kevin Fenzi wrote:
Some random thoughts/considerations:
* We could also change fas password requirements at this time.
We have:
https://fedorahosted.org/fedora-infrastructure/ticket/2804
where we agreed with:
- Nine or more characters with lower and upper case letters, digits and
punctuation marks.
- Ten or more characters with lower and upper case letters and digits.
- Twelve or more characters with lower case letters and digits.
So - I am sure I'm not the only one who does this - but how about
mandating pass PHRASES and make the minimum length be 40 characters?
Mary_had_a_little_lamb_whose_fleece_was_white_as_snow would work just
fine and should be substantially harder to crack :)
(/me is all about making friends today, apparently)
* user certs and passwords are pretty quick and easy to change. Some
people may object to ssh keys being changed, so I think we need to
present clear reasoning on it. Perhaps:
"While your ssh private key is hopefully secure, we would like you to
take this chance to generate a new one and review your passphrase, key
size and type and consider a separate key for fedora access. In the
event your old private key was transferred or backed up to a system you
may no longer realize it's still stored on, a new private key will
allow you to confirm and review it's setup and storage."
* We may have some users who have email on the affected systems (ie,
kernel.org,
linux.com, etc). Should we wait for those systems to be
back up before taking action? They should be able to login and change
their email in fas, but they may be unaware of the need to do so.
This sounds reasonable - though perhaps we should isolate that set of
users now and give their accounts an extra scouring. :)
* For timing, we want to make sure this won't affect maintainers
too
much working on the release. Perhaps the deadline should be F16
release? or is that too far out?
I'd be inclined for sooner than later but <shrug>
* We could also be more strict with all users in the 'sysadmin*'
groups perhaps. Ie, a shorter timeline for them to change things. Or
make them the only group thats required to change and just suggest to
other groups they do so.
This sounds good.
* Users who fail to meet the deadline would be marked
'inactive' ? What
would they need to do to re-activate? Just login and upload a new
key/change password?
well "login" might be hard. I suspect we just nuke their ssh keys so
they cannot login to any shell w/o first getting into the fas.
* How many users do we have with ssh keys uploaded?
3728 users on
fedorapeople.org
That's fpca + 1 group.
1776 on
fedorahosted.org - I've not checked for overlap there,
obviously.
-sv