Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Adam Williamson awilliam at redhat.com
Wed Oct 12 17:53:58 UTC 2011


On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:

> I have no problem with changing the password, but leave my ssh keys
> alone, unless there is a real reason to ask people to change them.

Reading between the lines of recent attacks, it seems likely that
private keys compromised in some of the attacks were used to perform
others. (No-one's come out and officially said this yet but it seems
pretty obvious from the subtext of some of the reports; I'm thinking
kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that
some people may have used the same identities on some of the other
compromised systems as they are using on FAS, and hence it seems pretty
reasonable to require this change.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net



More information about the devel mailing list