Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Gerd Hoffmann kraxel at
Thu Oct 13 08:22:31 UTC 2011

On 10/12/11 19:53, Adam Williamson wrote:
> On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
>> I have no problem with changing the password, but leave my ssh keys
>> alone, unless there is a real reason to ask people to change them.
> Reading between the lines of recent attacks, it seems likely that
> private keys compromised in some of the attacks were used to perform
> others. (No-one's come out and officially said this yet but it seems
> pretty obvious from the subtext of some of the reports; I'm thinking
> /, for e.g.) It doesn't seem at all unlikely that
> some people may have used the same identities on some of the other
> compromised systems as they are using on FAS, and hence it seems pretty
> reasonable to require this change.

I don't think so.

People which have found their system compromised most likely already 
have replaced all the ssh keys -> fine.

People which have not been compromised can continue to use the old keys 
without problems.

For people which are compromised but didn't notice (and thus still 
running a compromised system) the key change buys not much as the new 
keys likely will be compromised too.


More information about the devel mailing list