On Mon, 10 Oct 2011 09:00:11 -0700
Toshio Kuratomi <a.badger(a)gmail.com> wrote:
I think that makring inactive will work for the password change
(with
the password strength hotifix, we also no longer accept the same
password as the user last had). (Off by one we can't catch though:
old: "mustang1977" this would still be accepted: "mustang1978")
So, when someone is 'inactive' they can login with their old password,
but it will ask them to change it then?
New ssh key won't be caught by fas but if they repeatedly
re-enable
without uploading a new ssh key, we can mark their account
admin_disabled so they have to talk to us.
Yeah, we can continue to run checks periodically I guess.
Do we want to mention the specific rationale for changing both
passwords and ssh keys? 1) the recent compromised sites were Linux
related. 2) as far as disclosed the sites were attacked via
compromised accounts. 3) we have no way of knowing if any of our
users/contributors had accounts on those sites and used the same
password/ssh key with agent forwarding/uploaded a private key there.
yeah, we can... let me see if I can figure out how to word that/add it,
and I will send a new draft out in a few.
kevin