Greetings.
Here's what I have so far on an announcement for the mass password change/ssh key change. Suggestions for improvement very welcome. In particular more resources we could point people to, or common questions you think people will come up with that we could answer would be great.
Also, we need to decide what exactly we do to accounts that fail to meet the deadline. Are we just marking them inactive? Do we have any way to force them to change the password and upload a new key if they reactivate the account?
kevin -- DRAFT DRAFT DRAFT Subject: IMPORTANT: Manditory password and ssh key change by 2011-11-30
Summary:
All existing users of the Fedora Account System (FAS) at https://admin.fedoraproject.org/accounts are required to change their password and upload a NEW ssh public key by 2011-11-30. Failure to do so may result in your account being marked inactive.
Backgound and reasoning:
This change event has NOT been triggered by any specific compromise or vulnerability in Fedora Infrastructure, rather we feel that due to the large number of high profile sites with security breaches in recent months that this is a great time for all Fedora contributors and users to review their security settings and move to "best practices" on their machines. Additionally, we are putting in place new rules for passwords to increase their entropy and make them less guessable.
New Password Rules:
* Nine or more characters with lower and upper case letters, digits and punctuation marks. * Ten or more characters with lower and upper case letters and digits. * Twelve or more characters with lower case letters and digits * Twenty or more characters with all lower case letters. * No maximum length.
Some Do's and Don'ts:
* NEVER store your ssh private key on a shared or public system. * ALWAYS use a strong passphrase on your ssh key. * if you must store passwords, use a application specifically for this purpose like revelation, gnome-keyring, seahorse, or keepassx. * Regularly apply your OSes security related updates. * Only use ssh agent forwarding when needed ( .ssh/config: "ForwardAgent no") * DO verify ssh host keys via dnssec protected dns. ( .ssh/config: "VerifyHostKeyDNS yes") * DO consider a seperate ssh key for Fedora Infrastructure. * Work with and use security features like SELinux and iptables. * Review the Community Standard Infrastructure security document (link below)
Q&A:
Q: My password and ssh private key are fine and secure! Can't I just skip this change?
A: No. We very much hope everyone's password and ssh keys are fine, but we would like everyone to take this chance to review security and change things. In the event of a triggering event everyone will know the process.
Q: Can I just change my password and re-upload my same ssh public key? Or upload a bogus ssh public key and then re-upload my old one?
A: No. We will be checking to ensure that your ssh public key is different from your old one.
Q: This is a hassle. How often is this going to happen?
A: The last mass password change in Fedora was more than 3 years ago. Absent a triggering event, these mass changes will be infrequent.
More reading:
http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-singl... https://fedoraproject.org/wiki/Infrastructure_mass_password_update
I know at one point I was forced to change my FAS password. I don't know how it was accomplished, but it was.
The message itself looks good to me. You get these two characters (not including space): +1
Darren VanBuren ================== http://theoks.net/
On Fri, Oct 7, 2011 at 09:17, Kevin Fenzi kevin@scrye.com wrote:
Greetings.
Here's what I have so far on an announcement for the mass password change/ssh key change. Suggestions for improvement very welcome. In particular more resources we could point people to, or common questions you think people will come up with that we could answer would be great.
Also, we need to decide what exactly we do to accounts that fail to meet the deadline. Are we just marking them inactive? Do we have any way to force them to change the password and upload a new key if they reactivate the account?
kevin
DRAFT DRAFT DRAFT Subject: IMPORTANT: Manditory password and ssh key change by 2011-11-30
Summary:
All existing users of the Fedora Account System (FAS) at https://admin.fedoraproject.org/accounts are required to change their password and upload a NEW ssh public key by 2011-11-30. Failure to do so may result in your account being marked inactive.
Backgound and reasoning:
This change event has NOT been triggered by any specific compromise or vulnerability in Fedora Infrastructure, rather we feel that due to the large number of high profile sites with security breaches in recent months that this is a great time for all Fedora contributors and users to review their security settings and move to "best practices" on their machines. Additionally, we are putting in place new rules for passwords to increase their entropy and make them less guessable.
New Password Rules:
- Nine or more characters with lower and upper case letters, digits and
punctuation marks.
- Ten or more characters with lower and upper case letters and digits.
- Twelve or more characters with lower case letters and digits
- Twenty or more characters with all lower case letters.
- No maximum length.
Some Do's and Don'ts:
- NEVER store your ssh private key on a shared or public system.
- ALWAYS use a strong passphrase on your ssh key.
- if you must store passwords, use a application specifically for this
purpose like revelation, gnome-keyring, seahorse, or keepassx.
- Regularly apply your OSes security related updates.
- Only use ssh agent forwarding when needed ( .ssh/config:
"ForwardAgent no")
- DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
"VerifyHostKeyDNS yes")
- DO consider a seperate ssh key for Fedora Infrastructure.
- Work with and use security features like SELinux and iptables.
- Review the Community Standard Infrastructure security document (link
below)
Q&A:
Q: My password and ssh private key are fine and secure! Can't I just skip this change?
A: No. We very much hope everyone's password and ssh keys are fine, but we would like everyone to take this chance to review security and change things. In the event of a triggering event everyone will know the process.
Q: Can I just change my password and re-upload my same ssh public key? Or upload a bogus ssh public key and then re-upload my old one?
A: No. We will be checking to ensure that your ssh public key is different from your old one.
Q: This is a hassle. How often is this going to happen?
A: The last mass password change in Fedora was more than 3 years ago. Absent a triggering event, these mass changes will be infrequent.
More reading:
http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-singl... https://fedoraproject.org/wiki/Infrastructure_mass_password_update
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
+1
Though I've got so many pubkeys already I have trouble keeping track of them... Strongly considering rebuilding one for each machine and scouring anything that doesn't match from all servers I have access to.
I use LastPass to keep track of my passwords. It's a cross-platform cross-browser password sync service. I don't know its licensing, though, so no idea if it'd be kosher to advocate it officially or not.
On Fri, Oct 07, 2011 at 10:17:35AM -0600, Kevin Fenzi wrote:
Greetings.
Here's what I have so far on an announcement for the mass password change/ssh key change. Suggestions for improvement very welcome. In particular more resources we could point people to, or common questions you think people will come up with that we could answer would be great.
Also, we need to decide what exactly we do to accounts that fail to meet the deadline. Are we just marking them inactive? Do we have any way to force them to change the password and upload a new key if they reactivate the account?
I think that makring inactive will work for the password change (with the password strength hotifix, we also no longer accept the same password as the user last had). (Off by one we can't catch though: old: "mustang1977" this would still be accepted: "mustang1978")
New ssh key won't be caught by fas but if they repeatedly re-enable without uploading a new ssh key, we can mark their account admin_disabled so they have to talk to us.
Do we want to mention the specific rationale for changing both passwords and ssh keys? 1) the recent compromised sites were Linux related. 2) as far as disclosed the sites were attacked via compromised accounts. 3) we have no way of knowing if any of our users/contributors had accounts on those sites and used the same password/ssh key with agent forwarding/uploaded a private key there.
-Toshio
On Mon, 10 Oct 2011 09:00:11 -0700 Toshio Kuratomi a.badger@gmail.com wrote:
I think that makring inactive will work for the password change (with the password strength hotifix, we also no longer accept the same password as the user last had). (Off by one we can't catch though: old: "mustang1977" this would still be accepted: "mustang1978")
So, when someone is 'inactive' they can login with their old password, but it will ask them to change it then?
New ssh key won't be caught by fas but if they repeatedly re-enable without uploading a new ssh key, we can mark their account admin_disabled so they have to talk to us.
Yeah, we can continue to run checks periodically I guess.
Do we want to mention the specific rationale for changing both passwords and ssh keys? 1) the recent compromised sites were Linux related. 2) as far as disclosed the sites were attacked via compromised accounts. 3) we have no way of knowing if any of our users/contributors had accounts on those sites and used the same password/ssh key with agent forwarding/uploaded a private key there.
yeah, we can... let me see if I can figure out how to word that/add it, and I will send a new draft out in a few.
kevin
ok, after folding in changes, I have the following draft. Comments/corrections/etc welcome.
DRAFT-DRAFT-DRAFT
Subject: IMPORTANT: Manditory password and ssh key change by 2011-11-30
Summary:
All existing users of the Fedora Account System (FAS) at https://admin.fedoraproject.org/accounts are required to change their password and upload a NEW ssh public key by 2011-11-30. Failure to do so may result in your account being marked inactive.
Backgound and reasoning:
This change event has NOT been triggered by any specific compromise or vulnerability in Fedora Infrastructure. Rather, we believe, due to the large number of high profile sites with security breaches in recent months, that this is a great time for all Fedora contributors and users to review their security settings and move to "best practices" on their machines. Additionally, we are putting in place new rules for passwords to increase their entropy and make them harder to guess.
New Password Rules:
* Nine or more characters with lower and upper case letters, digits and punctuation marks. * Ten or more characters with lower and upper case letters and digits. * Twelve or more characters with lower case letters and digits * Twenty or more characters with all lower case letters. * No maximum length.
Some Do's and Don'ts:
* NEVER store your ssh private key on a shared or public system. * ALWAYS use a strong passphrase on your ssh key. * If you must store passwords, use an application specifically for this purpose like revelation, gnome-keyring, seahorse, or keepassx. * Regularly apply your operating system's security related updates. * Only use ssh agent forwarding when needed ( .ssh/config: "ForwardAgent no") * DO verify ssh host keys via dnssec protected dns. ( .ssh/config: "VerifyHostKeyDNS yes") * DO consider a seperate ssh key for Fedora Infrastructure. * Work with and use security features like SELinux and iptables. * Review the Community Standard Infrastructure security document (link below)
Q&A:
Q: My password and ssh private key are fine and secure! Can't I just skip this change?
No. We believe the new guidelines above provide an added measure of security compared to the previous requirements. We want all users of our infrastructure to follow the new guidelines to improve one aspect of security across the systems they share. Awareness is also an aspect of good security. By requiring these changes, we also hope to maintain and improve awareness of the process for changing passwords and keys.
Q: Can I just change my password and re-upload my same ssh public key? Or upload a bogus ssh public key and then re-upload my old one?
A: No. We've installed safeguards to ensure that your new ssh public key is different from your old one. Additionally, some of our contributors may have had accounts on compromised high profile Linux sites recently, and we want to make sure no ssh private keys or passwords used in Fedora Infrastructure were obtained via those incidents.
Q: This is a hassle. How often is this going to happen?
A: The last mass password change in Fedora was more than 3 years ago. Absent a triggering event, these mass changes will be infrequent.
Q: The new password length requirements/rules are too strict. How will I remember passwords that are that long?
A: You can employ a password storage application (see above), or use a method like diceware (see below), or construct a memorable sentence or phrase.
More reading:
http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-singl... https://fedoraproject.org/wiki/Infrastructure_mass_password_update http://xkcd.com/936/ http://www.iusmentis.com/security/passphrasefaq/ http://world.std.com/~reinhold/diceware.html
On Mon, 2011-10-10 at 10:40 -0600, Kevin Fenzi wrote:
ok, after folding in changes, I have the following draft. Comments/corrections/etc welcome.
DRAFT-DRAFT-DRAFT
Subject: IMPORTANT: Manditory password and ssh key change by 2011-11-30
^^^^^^^^^ Mandatory.
Summary:
All existing users of the Fedora Account System (FAS) at https://admin.fedoraproject.org/accounts are required to change their password and upload a NEW ssh public key by 2011-11-30. Failure to do so may result in your account being marked inactive.
Backgound and reasoning:
This change event has NOT been triggered by any specific compromise or vulnerability in Fedora Infrastructure. Rather, we believe, due to the large number of high profile sites with security breaches in recent months, that this is a great time for all Fedora contributors and users to review their security settings and move to "best practices" on their machines. Additionally, we are putting in place new rules for passwords to increase their entropy and make them harder to guess.
maybe dump the 'entropy' as some of our users are going to be lost there.
maybe: "Additionally, we are putting in place new rules for passwords to make them harder to guess."
-sv
On Mon, 10 Oct 2011 12:47:18 -0400 seth vidal skvidal@fedoraproject.org wrote:
On Mon, 2011-10-10 at 10:40 -0600, Kevin Fenzi wrote:
ok, after folding in changes, I have the following draft. Comments/corrections/etc welcome.
DRAFT-DRAFT-DRAFT
Subject: IMPORTANT: Manditory password and ssh key change by 2011-11-30
^^^^^^^^^ Mandatory.
fixed.
maybe dump the 'entropy' as some of our users are going to be lost there.
maybe: "Additionally, we are putting in place new rules for passwords to make them harder to guess."
sounds good. Changed.
kevin
On Mon, Oct 10, 2011 at 10:11:44AM -0600, Kevin Fenzi wrote:
On Mon, 10 Oct 2011 09:00:11 -0700 Toshio Kuratomi a.badger@gmail.com wrote:
I think that makring inactive will work for the password change (with the password strength hotifix, we also no longer accept the same password as the user last had). (Off by one we can't catch though: old: "mustang1977" this would still be accepted: "mustang1978")
So, when someone is 'inactive' they can login with their old password, but it will ask them to change it then?
Yep. IIRC we made things work that way when we did our first mass password reset.
-Toshio
On Mon, 10 Oct 2011 09:46:15 -0700 Toshio Kuratomi a.badger@gmail.com wrote:
On Mon, Oct 10, 2011 at 10:11:44AM -0600, Kevin Fenzi wrote:
On Mon, 10 Oct 2011 09:00:11 -0700 Toshio Kuratomi a.badger@gmail.com wrote:
I think that makring inactive will work for the password change (with the password strength hotifix, we also no longer accept the same password as the user last had). (Off by one we can't catch though: old: "mustang1977" this would still be accepted: "mustang1978")
So, when someone is 'inactive' they can login with their old password, but it will ask them to change it then?
Yep. IIRC we made things work that way when we did our first mass password reset.
Great.
So, if there's no other changes or objections, I will probably send out the announcement tomorrow. Please let me know if you can think of anything else we need to get in place before we announce.
kevin
DRAFT DRAFT DRAFT
Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Summary:
All existing users of the Fedora Account System (FAS) at https://admin.fedoraproject.org/accounts are required to change their password and upload a NEW ssh public key by 2011-11-30. Failure to do so may result in your account being marked inactive.
Backgound and reasoning:
This change event has NOT been triggered by any specific compromise or vulnerability in Fedora Infrastructure. Rather, we believe, due to the large number of high profile sites with security breaches in recent months, that this is a great time for all Fedora contributors and users to review their security settings and move to "best practices" on their machines. Additionally, we are putting in place new rules for passwords to make them harder to guess.
New Password Rules:
* Nine or more characters with lower and upper case letters, digits and punctuation marks. * Ten or more characters with lower and upper case letters and digits. * Twelve or more characters with lower case letters and digits * Twenty or more characters with all lower case letters. * No maximum length.
Some Do's and Don'ts:
* NEVER store your ssh private key on a shared or public system. * ALWAYS use a strong passphrase on your ssh key. * If you must store passwords, use an application specifically for this purpose like revelation, gnome-keyring, seahorse, or keepassx. * Regularly apply your operating system's security related updates. * Only use ssh agent forwarding when needed ( .ssh/config: "ForwardAgent no") * DO verify ssh host keys via dnssec protected dns. ( .ssh/config: "VerifyHostKeyDNS yes") * DO consider a seperate ssh key for Fedora Infrastructure. * Work with and use security features like SELinux and iptables. * Review the Community Standard Infrastructure security document (link below)
Q&A:
Q: My password and ssh private key are fine and secure! Can't I just skip this change?
No. We believe the new guidelines above provide an added measure of security compared to the previous requirements. We want all users of our infrastructure to follow the new guidelines to improve one aspect of security across the systems they share. Awareness is also an aspect of good security. By requiring these changes, we also hope to maintain and improve awareness of the process for changing passwords and keys.
Q: Can I just change my password and re-upload my same ssh public key? Or upload a bogus ssh public key and then re-upload my old one?
A: No. We've installed safeguards to ensure that your new ssh public key is different from your old one. Additionally, some of our contributors may have had accounts on compromised high profile Linux sites recently, and we want to make sure no ssh private keys or passwords used in Fedora Infrastructure were obtained via those incidents.
Q: This is a hassle. How often is this going to happen?
A: The last mass password change in Fedora was more than 3 years ago. Absent a triggering event, these mass changes will be infrequent.
Q: The new password length requirements/rules are too strict. How will I remember passwords that are that long?
A: You can employ a password storage application (see above), or use a method like diceware (see below), or construct a memorable sentence or phrase.
More reading:
http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-singl... https://fedoraproject.org/wiki/Infrastructure_mass_password_update http://xkcd.com/936/ http://www.iusmentis.com/security/passphrasefaq/ http://world.std.com/~reinhold/diceware.html
Some wording changes, noting of the start date, and some pointers to how to generate new ssh keys
DRAFT DRAFT
Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Summary:
All existing users of the Fedora Account System (FAS) at https://admin.fedoraproject.org/accounts are required to change their password and upload a NEW ssh public key before 2011-11-30. Failure to do so may result in your account being marked inactive. Passwords changed and NEW ssh public keys uploaded after 2011-10-10 will meet this requirement.
Backgound and reasoning:
This change event has NOT been triggered by any specific compromise or vulnerability in Fedora Infrastructure. Rather, we believe, due to the large number of high profile sites with security breaches in recent months, that this is a great time for all Fedora contributors and users to review their security settings and move to "best practices" on their machines. Additionally, we are putting in place new rules for passwords to make them harder to guess.
New Password Rules:
* Nine or more characters with lower and upper case letters, digits and punctuation marks. * Ten or more characters with lower and upper case letters and digits. * Twelve or more characters with lower case letters and digits * Twenty or more characters with all lower case letters. * No maximum length.
Some Do's and Don'ts:
* NEVER store your ssh private key on a shared or public system. * ALWAYS use a strong passphrase on your ssh key. * If you must store passwords, use an application specifically for this purpose like revelation, gnome-keyring, seahorse, or keepassx. * Regularly apply your operating system's security related updates. * Only use ssh agent forwarding when needed ( .ssh/config: "ForwardAgent no") * DO verify ssh host keys via dnssec protected dns. ( .ssh/config: "VerifyHostKeyDNS yes") * DO consider a seperate ssh key for Fedora Infrastructure. * Work with and use security features like SELinux and iptables. * Review the Community Standard Infrastructure security document (link below)
Q&A:
Q: My password and ssh private key are fine and secure! Can't I just skip this change?
No. We believe the new guidelines above provide an added measure of security compared to the previous requirements. We want all users of our infrastructure to follow the new guidelines to improve one aspect of security across the systems they share. Awareness is also an aspect of good security. By requiring these changes, we also hope to maintain and improve awareness of the process for changing passwords and keys.
Q: Can I just change my password and re-upload my same ssh public key? Or upload a bogus ssh public key and then re-upload my old one?
A: No. We've installed safeguards to ensure that your new ssh public key is different from your old one. Additionally, some of our contributors may have had accounts on compromised high profile Linux sites recently, and we want to make sure no ssh private keys or passwords used in Fedora Infrastructure were obtained via those incidents.
Q: This is a hassle. How often is this going to happen?
A: The last mass password change in Fedora was more than 3 years ago. Absent a triggering event, these mass changes will be infrequent.
Q: The new password length requirements/rules are too strict. How will I remember passwords that are that long?
A: You can employ a password storage application (see above), or use a method like diceware (see below), or construct a memorable sentence or phrase.
Q: How do I generate a new ssh key? How do I use it for just Fedora hosts?
A: See http://fedoraproject.org/wiki/Cryptography and use a ~/.ssh/config file to match fedoraproject.org hosts for that key.
More reading:
http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-singl... https://fedoraproject.org/wiki/Infrastructure_mass_password_update http://xkcd.com/936/ http://www.iusmentis.com/security/passphrasefaq/ http://world.std.com/~reinhold/diceware.html http://fedoraproject.org/wiki/Cryptography
On 2011-10-12 8:16, Kevin Fenzi wrote:
All existing users of the Fedora Account System (FAS) at https://admin.fedoraproject.org/accounts are required to change their password and upload a NEW ssh public key before 2011-11-30. Failure to do so may result in your account being marked inactive.
This wording seems to say that users who have never uploaded SSH keys will be locked out unless they, too, upload new SSH keys.
On Wed, 12 Oct 2011 08:47:52 -0700 Garrett Holmstrom gholms@fedoraproject.org wrote:
On 2011-10-12 8:16, Kevin Fenzi wrote:
All existing users of the Fedora Account System (FAS) at https://admin.fedoraproject.org/accounts are required to change their password and upload a NEW ssh public key before 2011-11-30. Failure to do so may result in your account being marked inactive.
This wording seems to say that users who have never uploaded SSH keys will be locked out unless they, too, upload new SSH keys.
Added a Q&A on that:
Q: I never uploaded a ssh key to the Fedora Account System, nor am I in a group that needs one, do I still have to upload a new one?
A: No. If you don't have a ssh public key uploaded or desire to do so, you can just change your password.
I'm going to send it soon. ;)
kevin
What about our FAS certificates? Do we need to change those, too?
Russell Golden niveusluna@niveusluna.org (972) 836-7128 -- "We are the Borg. Lower your shields and surrender your ships. We will add your biological and technological distinctiveness to our own. Your culture will adapt to service us. Resistance is futile."
On Wed, 12 Oct 2011 12:19:37 -0500 Russell Golden niveusluna@niveusluna.org wrote:
What about our FAS certificates? Do we need to change those, too?
Nope.
We decided that since they change/expire regularly, there is no need to require them all to change now.
kevin
infrastructure@lists.fedoraproject.org
-
Darren VanBuren -
Garrett Holmstrom -
Kevin Fenzi -
Russell Golden -
Seth Vidal -
Toshio Kuratomi