Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Kevin Fenzi kevin at scrye.com
Wed Oct 12 19:49:45 UTC 2011 

On Wed, 12 Oct 2011 20:19:27 +0200
Henrik Nordström <henrik at henriknordstrom.net> wrote:

> The password change is understandable, but why force an SSH key change
> with such short notice?

Short? 1.5 months? 

How long would you like?

> And what if the SSH key is a hard token (smartcard) which can not be
> copied or trivially changed? Switching to a soft key would be mostly
> counter-productive from a security point of view. Now I were not
> currently using my hard token smartcard key for Fedora for other
> reasons but I would had been quite annoyed by this change requirement
> if I were.

If you can't change your token, then I would posit you have a problem.
What if you KNEW your private key was compromised? Surely there is a
way to generate a new one... 

> And why is so much of the Fedora inftrastructure relying on plain text
> password exchanges (within SSL, but still plain text at the Fedora
> servers) when there is both HTTP digest authentication (no plaintext
> seen by Fedora servers) and SSL certificates and SSH keys which all
> three serves a much better identification method?

Please feel free to jump in and help code such changes. :) 
We are a open source infrastructure and I'm sure patches and ideas even
would be welcome. 

> And you forgot the one most important DON'T in the list. Never use the
> same password for two different systems. Do not use the same password
> for Fedora account as you use for Hotmal / GMail / At Work /
> Facebook / Whatever.

Yeah, I kept adding things, but the email was already really long. ;( 

> But even then, the security of Fedora accounts is no stronger than the
> security of the email associated with an account. Quite pointless to
> try to bolster the security very high when all that is needed to take
> over a standard Fedora account is to have access to the email
> (account or traffic) of the Fedora account. Sure, a full account
> takeover is more likely to get noticed than a stolen password, but it
> still sets the level of expected security.

Yeah, ideally we would do more here with gpg. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20111012/c9bf1b93/attachment.bin

More information about the devel mailing list