Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Toshio Kuratomi
a.badger at gmail.com
Thu Oct 13 17:39:03 UTC 2011
On Thu, Oct 13, 2011 at 09:14:46AM +0100, Richard W.M. Jones wrote:
> On Wed, Oct 12, 2011 at 02:59:31PM -0500, Mike McGrath wrote:
> > 2) We've found PRIVATE keys on our servers
>
> By all means educate these users with a large clue-stick.
>
The problem is this:
Fedora contributors are a group of technically minded people that we think
should know better. Fedora contributors in the sysadmin groups (needed to
have shells on these machines) are an even more technically and security
minded group that should know even better. Yet that select group of people
are making a very bad mistake.
We can (and have) identified these people and hit them with the clue stick.
What we cannot do is audit kernel.org, linux.com, etc, and find out what
technically minded users that we have in common are made a similar mistake
on their systems and then hit *them* with a cluestick. Which is not to
place blame on those other sites for withholding information; we've never
revealed similar information. Debian didn't reveal that level of
information after their intrusion either.
But what does that lack of information leave us with? A whole lot of ssh
keys that may or may not have had their private keys on a compromised host
with no way of telling who's who. We don't even know if one of the keys was
known to have been used in the kernel.org and linux.com compromises. If the
users in question are on a long hiatus for Fedora work, those keys might
never be changed even if the user has been hit with a cluestick on
kernel.org.
So what are our admins to do? 1) We could ignore the issue. We have a lot
of contributors. Maybe we should just expect that some of their accounts
are going to be compromised. 2) We could require everyone to change keys.
3) You might have the information necessary to get us a list of our users
whose accounts or keys were potentially compromised on other people's
systems. If so, it might be reasonable to filter for just those people.
OTOH, if someone is out there purposefully targetting open source sites,
perhaps too much caution is better than too little.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20111013/075dc0b3/attachment.bin
More information about the devel
mailing list