Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
simo at redhat.com
Wed Oct 12 18:16:16 UTC 2011
On Wed, 2011-10-12 at 13:04 -0500, Mike McGrath wrote:
> On Wed, 12 Oct 2011, Simo Sorce wrote:
> > On Wed, 2011-10-12 at 11:41 -0600, Kevin Fenzi wrote:
> > > On Wed, 12 Oct 2011 13:30:19 -0400
> > > Jeff Layton <jlayton at redhat.com> wrote:
> > >
> > > > I have a question not covered here: I just changed my ssh key a week
> > > > or two ago in the wake of the kernel.org compromise...
> > > >
> > > > Is my new key sufficient? I really don't want to have to re-distribute
> > > > my key to all of the various servers again.
> > >
> > > Well, we talked about this some, but we don't have fingerprints from
> > > several weeks ago to check people against to confirm they uploaded a
> > > new key.
> > >
> > > Would it be possible for you to just make a new fedora only key?
> > Can you stop asking useless security theater measures instead ?
> > My ssh keys are fine and I see no reason to change them for you.
> > If all projects I participate in were to ask me to change my keys I
> > would end up with a mess of different keys for absolutely no reason.
> > I have no problem with changing the password, but leave my ssh keys
> > alone, unless there is a real reason to ask people to change them.
> Look at it this way, your keys and password may be fine. Can you say the
> same about every other Fedora contributor? It not, what criteria would
> you use to say who should and shouldn't change their passwords and keys?
Given the way passwords are used I see no issue in asking them to be
changed, they are very easy to steal in our current system, so I don't
complain about that.
Ssh keys are a different matter, they are generally much more secure as
they are not easily distributed or easy to steal, and changing them is
no assurance the new ones are not as compromised. (see previous mail)
> Lots of people use and share keys across different projects. Lots of bad
> stuff is going down, we don't have much information on what's been
> compromised where, who or how. It might seem like theater to you.
> You're very in tuned with the feng-shui of security and you are probably
> fine. But not all of our contributors can say that.
Storing a public key is not an issue, so the fact I use my key with
different projects has absolutely no bearing on my exposure, zero,
zilch. Unless I store my *private* keys on non-personal machines.
The problem is that blindly changing keys if a contributor is being
careless accomplishes exactly nothing, and just burdens all careful
If you have evidence of contributors being careless with SSH keys the
only recourse is to identify and educate the offenders requiring them to
change those keys and not have a 'hit 100 to educate 1' policy that
serves little or no purpose.
Simo Sorce * Red Hat, Inc * New York
More information about the devel