Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Simo Sorce
simo at redhat.com
Wed Oct 12 18:20:43 UTC 2011
On Wed, 2011-10-12 at 13:06 -0500, Jon Ciesla wrote:
> > On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
> >> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
> >> > On 12 October 2011 17:44, Kevin Fenzi <kevin at scrye.com> wrote:
> >> > > All existing users of the Fedora Account System (FAS) at
> >> > > https://admin.fedoraproject.org/accounts are required to change
> >> their
> >> > > password and upload a NEW ssh public key before 2011-11-30.
> >> >
> >> > I have to upload a *new* public key? Why should I have two sets of
> >> keys?
> >>
> >> Meant 'replacement'. You can only have one key in FAS, afaict.
> >
> >
> > You can have more than one. Just paste them in place all together.
> >
> >
> > And we're verifying key changes by checking the fingerprint of the
> > pubkeys vs your prior ones.
>
> It's really not a huge hassle. I've already done it. I configured the
> .ssh/config files where I needed to, and it doesn't conflict with any
> other keys I have. I don't get what the big deal is. The disruption is,
> like, five minutes of work. The potential benefit is unknown, but
> certainly not zero.
>
> Why wait for a breach to do this? This is a perfect time. Doing it
> after the 2008 breach was wise. This is better.
A breach won't compromise my actual keys even if it happened now or a
year ago.
Plus there are limitations on how many keys (and passpharases I can
remember, especially for stuff I use less often).
Plus there are limitation about how many keys ssh/ssh-agent can use
before failing to log you in no matter what.
Compound all this.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the devel
mailing list