[Fwd: Account Security Question]

Ricky Zhou ricky at fedoraproject.org
Wed Jan 7 23:31:17 UTC 2009 

On 2009-01-07 02:56:43 PM, Ignacio Vazquez-Abrams wrote:
> For your consideration.
> 
> -------- Forwarded Message --------
> From: Michael Tant <mtant621 at charter.net>
> To: webmaster at fedoraproject.org
> Subject: Account Security Question
> Date: Wed, 7 Jan 2009 14:22:20 -0500
> 
> Upon creating my account on the fedoraproject site, I was asked to
> submit a public key and download a client certificate.  First, what is
> the public key used for?  I sent a 1024 rsa pubkey made with ssh-keygen.
> Does it have to be rsa or can I change that to a 2048 dsa key?  I
> commonly use my windows side to access the internet and my linux side
> more as a server than a terminal side, though it has client side
> available.  Should the dsa public key be kept on the browser side, or
> isolated to the linux side?  The Private Key is kept offline on
> removable media.
The public key is used if you need to authenticate to any of our
services over SSH.  This includes commit access for CVS and other
code repositories or any shell access to our machines.  We currently
require RSA keys.  You'll want to have your private key available on any
machine that you use to SSH or commit code from.  The public key is only
needed on the machines that will be accepting your private key (which is
why we ask for it).

> In regards to the certificate, it requests I add this to a particular
> location in the system.  Is the certificate used to authenticate my
> sessions with fedoraproject or just for the purposes of linux
> developing?  If it is used for authentication, can this be used on a
> windows based system, or should I login from my linux side?  I'm not a
> developer as of yet, my programming skills are hardly up to par yet.
> Regardless of the use, events of yesterday lead me to ask, is this a MD5
> hash or SHA1 or SHA2 hash?  I ask this because of the collision exploit
> to md5 certificates.  Please let me know, and if it is a MD5 hash, can I
> request a SHA clientside certificate?  
This certificiate is currently only used to authenticate to koji and
plague, the buildsystems for Fedora and EPEL, although we're considering
using key authentication in more places in the future. Right now, you'll
only need a copy of it if you plan on becoming a package maintainer.

> Being new to Linux, I am thrilled to to have membership in
> fedoraproject, as I have found linux nearly superior to windows in many
> areas.  
Welcome!

Thanks,
Ricky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20090107/9d938157/attachment.bin

More information about the infrastructure mailing list