Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
awilliam at redhat.com
Wed Oct 12 18:24:42 UTC 2011
On Wed, 2011-10-12 at 20:01 +0200, drago01 wrote:
> On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson <awilliam at redhat.com> wrote:
> > On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
> >> I have no problem with changing the password, but leave my ssh keys
> >> alone, unless there is a real reason to ask people to change them.
> > Reading between the lines of recent attacks, it seems likely that
> > private keys compromised in some of the attacks were used to perform
> > others. (No-one's come out and officially said this yet but it seems
> > pretty obvious from the subtext of some of the reports; I'm thinking
> > kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that
> > some people may have used the same identities on some of the other
> > compromised systems as they are using on FAS, and hence it seems pretty
> > reasonable to require this change.
> Not really unless there is any evidence pointing towards that
> direction it is just paranoia.
> Given the number of FAS account you can pretty much always assume that
> some account may be compromised but that's not enough to warrant any
> action. By that logic we should be changing keys daily ....
There's rather fewer FAS accounts with keys than there are total FAS
accounts. You only need to upload a key if you're a packager, really.
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
More information about the devel