[Ambassadors] Fwd: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Fri Oct 14 08:22:39 UTC 2011

On Fri, 2011-10-14 at 10:16 +0200, Alessandro Lorenzi wrote:
> hi, we have a security issue?

Have you actually read the email ?

Something like, this part:
> Backgound and reasoning:
>
> This change event has NOT been triggered by any specific compromise or
> vulnerability in Fedora Infrastructure.

Pierre

> 
> 2011/10/13 Buddhika Kurera <bckurera at fedoraproject.org>:
> > ---------- Forwarded message ----------
> > From: Kevin Fenzi <kevin at scrye.com>
> > Date: Wed, Oct 12, 2011 at 10:14 PM
> > Subject: Subject: IMPORTANT: Mandatory password and ssh key change by
> > 2011-11-30
> > To: announce at lists.fedoraproject.org, devel-announce at lists.fedoraproject.org
> >
> >
> > Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
> >
> > Summary:
> >
> > All existing users of the Fedora Account System (FAS) at
> > https://admin.fedoraproject.org/accounts are required to change their
> > password and upload a NEW ssh public key before 2011-11-30.
> > Failure to do so may result in your account being marked inactive.
> > Passwords changed and NEW ssh public keys uploaded after 2011-10-10
> > will meet this requirement.
> >
> > Backgound and reasoning:
> >
> > This change event has NOT been triggered by any specific compromise or
> > vulnerability in Fedora Infrastructure. Rather, we believe, due to the
> > large number of high profile sites with security breaches in recent
> > months, that this is a great time for all Fedora contributors and users
> > to review their security settings and move to "best practices" on their
> > machines. Additionally, we are putting in place new rules for passwords
> > to make them harder to guess.
> >
> > New Password Rules:
> >
> > * Nine or more characters with lower and upper case letters, digits and
> >  punctuation marks.
> > * Ten or more characters with lower and upper case letters and digits.
> > * Twelve or more characters with lower case letters and digits
> > * Twenty or more characters with all lower case letters.
> > * No maximum length.
> >
> > Some Do's and Don'ts:
> >
> > * NEVER store your ssh private key on a shared or public system.
> > * ALWAYS use a strong passphrase on your ssh key.
> > * If you must store passwords, use an application specifically for this
> >  purpose like revelation, gnome-keyring, seahorse, or keepassx.
> > * Regularly apply your operating system's security related updates.
> > * Only use ssh agent forwarding when needed ( .ssh/config:
> >  "ForwardAgent no")
> > * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
> >  "VerifyHostKeyDNS yes")
> > * DO consider a seperate ssh key for Fedora Infrastructure.
> > * Work with and use security features like SELinux and iptables.
> > * Review the Community Standard Infrastructure security document (link
> >  below)
> >
> > Q&A:
> >
> > Q: My password and ssh private key are fine and secure!
> > Can't I just skip this change?
> >
> > No.  We believe the new guidelines above provide an added measure of
> > security compared to the previous requirements.  We want all users of
> > our infrastructure to follow the new guidelines to improve one aspect
> > of security across the systems they share.  Awareness is also an
> > aspect of good security.  By requiring these changes, we also hope to
> > maintain and improve awareness of the process for changing passwords
> > and keys.
> >
> > Q: Can I just change my password and re-upload my same ssh public key?
> > Or upload a bogus ssh public key and then re-upload my old one?
> >
> > A: No. We've installed safeguards to ensure that your new ssh public
> > key is different from your old one. Additionally, some of our
> > contributors may have had accounts on compromised high profile Linux
> > sites recently, and we want to make sure no ssh private keys or
> > passwords used in Fedora Infrastructure were obtained via those
> > incidents.
> >
> > Q: This is a hassle. How often is this going to happen?
> >
> > A: The last mass password change in Fedora was more than 3 years ago.
> > Absent a triggering event, these mass changes will be infrequent.
> >
> > Q: The new password length requirements/rules are too strict.
> > How will I remember passwords that are that long?
> >
> > A: You can employ a password storage application (see above), or
> > use a method like diceware (see below), or construct a memorable
> > sentence or phrase.
> >
> > Q: How do I generate a new ssh key? How do I use it for just Fedora
> > hosts?
> >
> > A: See http://fedoraproject.org/wiki/Cryptography and use a
> > ~/.ssh/config file to match fedoraproject.org hosts for that key.
> >
> > Q: I never uploaded a ssh key to the Fedora Account System, nor am I
> > in a group that needs one, do I still have to upload a new one?
> >
> > A: No. If you don't have a ssh public key uploaded or desire to do so,
> > you can just change your password.
> >
> > More reading:
> >
> > http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-single/
> > https://fedoraproject.org/wiki/Infrastructure_mass_password_update
> > http://xkcd.com/936/
> > http://www.iusmentis.com/security/passphrasefaq/
> > http://world.std.com/~reinhold/diceware.html
> > http://fedoraproject.org/wiki/Cryptography
> >
> > --
> > announce mailing list
> > announce at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/announce
> >
> >
> >
> > --
> > Regards,
> > Buddhike Chandradeepa Kurera(bckurera)
> > Fedora Ambassador Sri Lanka
> > Event Liaison - Design Team
> > Email: bckurera at fedoraproject.org | IRC: bckurera
> >
> >
> >
> > --
> > ambassadors mailing list
> > ambassadors at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/ambassadors
> >
> 
> 
> 