Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Gerd Hoffmann
kraxel at redhat.com
Thu Oct 13 08:22:31 UTC 2011
On 10/12/11 19:53, Adam Williamson wrote:
> On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
>
>> I have no problem with changing the password, but leave my ssh keys
>> alone, unless there is a real reason to ask people to change them.
>
> Reading between the lines of recent attacks, it seems likely that
> private keys compromised in some of the attacks were used to perform
> others. (No-one's come out and officially said this yet but it seems
> pretty obvious from the subtext of some of the reports; I'm thinking
> kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that
> some people may have used the same identities on some of the other
> compromised systems as they are using on FAS, and hence it seems pretty
> reasonable to require this change.
I don't think so.
People which have found their system compromised most likely already
have replaced all the ssh keys -> fine.
People which have not been compromised can continue to use the old keys
without problems.
For people which are compromised but didn't notice (and thus still
running a compromised system) the key change buys not much as the new
keys likely will be compromised too.
cheers,
Gerd
More information about the devel
mailing list