Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Wed Oct 12 20:50:57 UTC 2011

On Wed, 2011-10-12 at 16:27 -0400, Simo Sorce wrote:
> On Wed, 2011-10-12 at 12:55 -0700, Adam Williamson wrote:
> > On Wed, 2011-10-12 at 21:45 +0200, Tomas Mraz wrote:
> > 
> > > That's a nonsense. Simply said. If I have a properly generated random
> > > ssh private key with a strong passphrase that I never put outside of my
> > > workstations and safe backup media then there is no other way it can be
> > > compromised than to compromise my workstation. 
> > 
> > Sadly, not everyone uses properly strong passphrases on their private
> > keys. Some people don't use passphrases at all, and short ones can be
> > brute forced.
> > 
> > Workstations can be compromised in such a way as to compromise only a
> > subset of private keys, too.
> > 
> > So, let's say I use the key ADAM to access my personal systems, and the
> > key FEDORA to access Fedora systems.
> > 
> > When you first ssh into a remote system when you're using GNOME, GNOME
> > will prompt you for the key's passphrase, and there's a little drop down
> > labelled 'Details' which gives you some choices about when to re-lock
> > the key. By default it keeps the key open until you log out from GNOME,
> > but _you can change this_.
> > 
> > Let's say I leave that setting on default for key ADAM, but change it to
> > 'lock after 1 minute' for key FEDORA.
> > 
> > Now I go out and leave my laptop lying on the coffee shop table for two
> > minutes while I buy a coffee. Some dastardly person swipes said laptop.
> > 
> > They high tail it off to their secure location, and quickly disable the
> > screen lock. Now they have access to my running session, and they can
> > ssh into my personal systems with impunity, because key ADAM is unlocked
> > until they log out. It's more than one minute since I last used key
> > FEDORA, though, so if they try and ssh into fedorapeople.org they'll
> > find that key is locked, and they can't screw around with Fedora.
> > 
> > (Okay, so in practice, because of the FAS email loophole, they can just
> > reset my FAS password, log in, and change the ssh key. But the point
> > stands in theory: you can have stricter policies for some ssh keys than
> > others, and hence some can be compromised without all being
> > compromised.)
> 
> Sorry Adam but this is BS, if your laptop is stolen you MUST replace all
> your keys anyways because you cannot count on them not being
> compromised, period. So this complex scenario is just mirrors and smoke.

The point is, if you use one key they can access everything, if you use
several you actually have time to change your key before they are able
to brute-force the pass-phrase (assuming you use one).

Pierre