Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Tomas Mraz tmraz at redhat.com
Wed Oct 12 18:51:37 UTC 2011 

On Wed, 2011-10-12 at 14:16 -0400, Simo Sorce wrote: 
> On Wed, 2011-10-12 at 13:04 -0500, Mike McGrath wrote:
> > On Wed, 12 Oct 2011, Simo Sorce wrote:
> > 
> > > On Wed, 2011-10-12 at 11:41 -0600, Kevin Fenzi wrote:
> > > > On Wed, 12 Oct 2011 13:30:19 -0400
> > > > Jeff Layton <jlayton at redhat.com> wrote:
> > > >
> > > > > I have a question not covered here: I just changed my ssh key a week
> > > > > or two ago in the wake of the kernel.org compromise...
> > > > >
> > > > > Is my new key sufficient? I really don't want to have to re-distribute
> > > > > my key to all of the various servers again.
> > > >
> > > > Well, we talked about this some, but we don't have fingerprints from
> > > > several weeks ago to check people against to confirm they uploaded a
> > > > new key.
> > > >
> > > > Would it be possible for you to just make a new fedora only key?
> > >
> > > Can you stop asking useless security theater measures instead ?
> > >
> > > My ssh keys are fine and I see no reason to change them for you.
> > > If all projects I participate in were to ask me to change my keys I
> > > would end up with a mess of different keys for absolutely no reason.
> > >
> > > I have no problem with changing the password, but leave my ssh keys
> > > alone, unless there is a real reason to ask people to change them.
> > >
> > 
> > Look at it this way, your keys and password may be fine.  Can you say the
> > same about every other Fedora contributor?  It not, what criteria would
> > you use to say who should and shouldn't change their passwords and keys?
> 
> Given the way passwords are used I see no issue in asking them to be
> changed, they are very easy to steal in our current system, so I don't
> complain about that.
> 
> Ssh keys are a different matter, they are generally much more secure as
> they are not easily distributed or easy to steal, and changing them is
> no assurance the new ones are not as compromised. (see previous mail)
> 
> > Lots of people use and share keys across different projects.  Lots of bad
> > stuff is going down, we don't have much information on what's been
> > compromised where, who or how.  It might seem like theater to you.
> > You're very in tuned with the feng-shui of security and you are probably
> > fine.  But not all of our contributors can say that.
> 
> Storing a public key is not an issue, so the fact I use my key with
> different projects has absolutely no bearing on my exposure, zero,
> zilch. Unless I store my *private* keys on non-personal machines.
> 
> The problem is that blindly changing keys if a contributor is being
> careless accomplishes exactly nothing, and just burdens all careful
> ones.
> 
> If you have evidence of contributors being careless with SSH keys the
> only recourse is to identify and educate the offenders requiring them to
> change those keys and not have a 'hit 100 to educate 1' policy that
> serves little or no purpose.

+1^10
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

More information about the devel mailing list