Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
pbrobinson at gmail.com
Wed Oct 12 18:12:32 UTC 2011
On Wed, Oct 12, 2011 at 7:01 PM, drago01 <drago01 at gmail.com> wrote:
> On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson <awilliam at redhat.com> wrote:
>> On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
>>> I have no problem with changing the password, but leave my ssh keys
>>> alone, unless there is a real reason to ask people to change them.
>> Reading between the lines of recent attacks, it seems likely that
>> private keys compromised in some of the attacks were used to perform
>> others. (No-one's come out and officially said this yet but it seems
>> pretty obvious from the subtext of some of the reports; I'm thinking
>> kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that
>> some people may have used the same identities on some of the other
>> compromised systems as they are using on FAS, and hence it seems pretty
>> reasonable to require this change.
> Not really unless there is any evidence pointing towards that
> direction it is just paranoia.
> Given the number of FAS account you can pretty much always assume that
> some account may be compromised but that's not enough to warrant any
> action. By that logic we should be changing keys daily ....
And people are complaining about the fact that the last time it
happened was 3 years ago. At work I have to do it every 60 days.
More information about the devel