[Ambassadors] Fwd: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Uditha Bandara Wijerathna udithabnd at gmail.com
Fri Oct 14 08:41:13 UTC 2011 

Thanks bckurera for the info.

2011/10/13 Buddhika Kurera <bckurera at fedoraproject.org>

> ---------- Forwarded message ----------
> From: Kevin Fenzi <kevin at scrye.com>
> Date: Wed, Oct 12, 2011 at 10:14 PM
> Subject: Subject: IMPORTANT: Mandatory password and ssh key change by
> 2011-11-30
> To: announce at lists.fedoraproject.org,
> devel-announce at lists.fedoraproject.org
>
>
> Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
>
> Summary:
>
> All existing users of the Fedora Account System (FAS) at
> https://admin.fedoraproject.org/accounts are required to change their
> password and upload a NEW ssh public key before 2011-11-30.
> Failure to do so may result in your account being marked inactive.
> Passwords changed and NEW ssh public keys uploaded after 2011-10-10
> will meet this requirement.
>
> Backgound and reasoning:
>
> This change event has NOT been triggered by any specific compromise or
> vulnerability in Fedora Infrastructure. Rather, we believe, due to the
> large number of high profile sites with security breaches in recent
> months, that this is a great time for all Fedora contributors and users
> to review their security settings and move to "best practices" on their
> machines. Additionally, we are putting in place new rules for passwords
> to make them harder to guess.
>
> New Password Rules:
>
> * Nine or more characters with lower and upper case letters, digits and
>  punctuation marks.
> * Ten or more characters with lower and upper case letters and digits.
> * Twelve or more characters with lower case letters and digits
> * Twenty or more characters with all lower case letters.
> * No maximum length.
>
> Some Do's and Don'ts:
>
> * NEVER store your ssh private key on a shared or public system.
> * ALWAYS use a strong passphrase on your ssh key.
> * If you must store passwords, use an application specifically for this
>  purpose like revelation, gnome-keyring, seahorse, or keepassx.
> * Regularly apply your operating system's security related updates.
> * Only use ssh agent forwarding when needed ( .ssh/config:
>  "ForwardAgent no")
> * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
>  "VerifyHostKeyDNS yes")
> * DO consider a seperate ssh key for Fedora Infrastructure.
> * Work with and use security features like SELinux and iptables.
> * Review the Community Standard Infrastructure security document (link
>  below)
>
> Q&A:
>
> Q: My password and ssh private key are fine and secure!
> Can't I just skip this change?
>
> No.  We believe the new guidelines above provide an added measure of
> security compared to the previous requirements.  We want all users of
> our infrastructure to follow the new guidelines to improve one aspect
> of security across the systems they share.  Awareness is also an
> aspect of good security.  By requiring these changes, we also hope to
> maintain and improve awareness of the process for changing passwords
> and keys.
>
> Q: Can I just change my password and re-upload my same ssh public key?
> Or upload a bogus ssh public key and then re-upload my old one?
>
> A: No. We've installed safeguards to ensure that your new ssh public
> key is different from your old one. Additionally, some of our
> contributors may have had accounts on compromised high profile Linux
> sites recently, and we want to make sure no ssh private keys or
> passwords used in Fedora Infrastructure were obtained via those
> incidents.
>
> Q: This is a hassle. How often is this going to happen?
>
> A: The last mass password change in Fedora was more than 3 years ago.
> Absent a triggering event, these mass changes will be infrequent.
>
> Q: The new password length requirements/rules are too strict.
> How will I remember passwords that are that long?
>
> A: You can employ a password storage application (see above), or
> use a method like diceware (see below), or construct a memorable
> sentence or phrase.
>
> Q: How do I generate a new ssh key? How do I use it for just Fedora
> hosts?
>
> A: See http://fedoraproject.org/wiki/Cryptography and use a
> ~/.ssh/config file to match fedoraproject.org hosts for that key.
>
> Q: I never uploaded a ssh key to the Fedora Account System, nor am I
> in a group that needs one, do I still have to upload a new one?
>
> A: No. If you don't have a ssh public key uploaded or desire to do so,
> you can just change your password.
>
> More reading:
>
>
> http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-single/
> https://fedoraproject.org/wiki/Infrastructure_mass_password_update
> http://xkcd.com/936/
> http://www.iusmentis.com/security/passphrasefaq/
> http://world.std.com/~reinhold/diceware.html
> http://fedoraproject.org/wiki/Cryptography
>
> --
> announce mailing list
> announce at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/announce
>
>
>
> --
> Regards,
> *Buddhike Chandradeepa Kurera(bckurera)*
> Fedora Ambassador Sri Lanka
> Event Liaison - Design Team
>
> *Email*: bckurera at fedoraproject.org | *IRC*: bckurera
> *
> *
>
>
>
> --
> ambassadors mailing list
> ambassadors at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/ambassadors
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/ambassadors/attachments/20111014/17c6eac5/attachment.html>

More information about the ambassadors mailing list