Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
drago01
drago01 at gmail.com
Wed Oct 12 18:01:35 UTC 2011
On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson <awilliam at redhat.com> wrote:
> On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
>
>> I have no problem with changing the password, but leave my ssh keys
>> alone, unless there is a real reason to ask people to change them.
>
> Reading between the lines of recent attacks, it seems likely that
> private keys compromised in some of the attacks were used to perform
> others. (No-one's come out and officially said this yet but it seems
> pretty obvious from the subtext of some of the reports; I'm thinking
> kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that
> some people may have used the same identities on some of the other
> compromised systems as they are using on FAS, and hence it seems pretty
> reasonable to require this change.
Not really unless there is any evidence pointing towards that
direction it is just paranoia.
Given the number of FAS account you can pretty much always assume that
some account may be compromised but that's not enough to warrant any
action. By that logic we should be changing keys daily ....
More information about the devel
mailing list