Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
henrik at henriknordstrom.net
Wed Oct 12 21:41:33 UTC 2011
ons 2011-10-12 klockan 14:59 -0500 skrev Mike McGrath:
> 1) People share keys across different projects.
> 2) We've found PRIVATE keys on our servers
Which should lead to immediate account suspension, no matter if that key
is the Fedora key or some other key.
And in reality it's not related to '1' above, but general awareness of
what SSH keys are and how to handle them.
> 3) We have no reason to believe private keys that can authenticate to
> Fedora weren't on some of the compromised systems we've heard so much
Right. That is a good motivation for a key change. If that had been in
the original mail most if this SSH key discussion had been avoided and
instead focused on how to handle that, which I think would had been a
more constructive discussion.
It's already clear from the discussion that all SSH keys are not equal.
But I would surely hope no one with such involvement that he/she is
active with SSH accounts in Fedora and one or more of the other
referenced projects is so ignorant about their SSH keys that they leave
them on remote servers. But I can not guarantee this of course.
More information about the devel