Mass Password/ssh Key change announcement DRAFT

Fri Oct 7 19:50:39 UTC 2011

I know at one point I was forced to change my FAS password. I don't
know how it was accomplished, but it was.

The message itself looks good to me. You get these two characters (not
including space): +1

Darren VanBuren
==================
http://theoks.net/

On Fri, Oct 7, 2011 at 09:17, Kevin Fenzi <kevin at scrye.com> wrote:
> Greetings.
>
> Here's what I have so far on an announcement for the mass password
> change/ssh key change. Suggestions for improvement very welcome. In
> particular more resources we could point people to, or common questions
> you think people will come up with that we could answer would be great.
>
> Also, we need to decide what exactly we do to accounts that fail to
> meet the deadline. Are we just marking them inactive? Do we have any
> way to force them to change the password and upload a new key if they
> reactivate the account?
>
> kevin
> --
> DRAFT DRAFT DRAFT
> Subject: IMPORTANT: Manditory password and ssh key change by 2011-11-30
>
> Summary:
>
> All existing users of the Fedora Account System (FAS) at
> https://admin.fedoraproject.org/accounts are required to change their
> password and upload a NEW ssh public key by 2011-11-30. Failure to do so
> may result in your account being marked inactive.
>
> Backgound and reasoning:
>
> This change event has NOT been triggered by any specific compromise or
> vulnerability in Fedora Infrastructure, rather we feel that due to the
> large number of high profile sites with security breaches in recent
> months that this is a great time for all Fedora contributors and users
> to review their security settings and move to "best practices" on their
> machines. Additionally, we are putting in place new rules for passwords
> to increase their entropy and make them less guessable.
>
> New Password Rules:
>
> * Nine or more characters with lower and upper case letters, digits and
>  punctuation marks.
> * Ten or more characters with lower and upper case letters and digits.
> * Twelve or more characters with lower case letters and digits
> * Twenty or more characters with all lower case letters.
> * No maximum length.
>
> Some Do's and Don'ts:
>
> * NEVER store your ssh private key on a shared or public system.
> * ALWAYS use a strong passphrase on your ssh key.
> * if you must store passwords, use a application specifically for this
>  purpose like revelation, gnome-keyring, seahorse, or keepassx.
> * Regularly apply your OSes security related updates.
> * Only use ssh agent forwarding when needed ( .ssh/config:
>  "ForwardAgent no")
> * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
>  "VerifyHostKeyDNS yes")
> * DO consider a seperate ssh key for Fedora Infrastructure.
> * Work with and use security features like SELinux and iptables.
> * Review the Community Standard Infrastructure security document (link
>  below)
>
> Q&A:
>
> Q: My password and ssh private key are fine and secure! Can't I just
> skip this change?
>
> A: No. We very much hope everyone's password and ssh keys are fine, but
> we would like everyone to take this chance to review security and
> change things. In the event of a triggering event everyone will know
> the process.
>
> Q: Can I just change my password and re-upload my same ssh public key?
> Or upload a bogus ssh public key and then re-upload my old one?
>
> A: No. We will be checking to ensure that your ssh public key is
> different from your old one.
>
> Q: This is a hassle. How often is this going to happen?
>
> A: The last mass password change in Fedora was more than 3 years ago.
> Absent a triggering event, these mass changes will be infrequent.
>
> More reading:
>
> http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-single/
> https://fedoraproject.org/wiki/Infrastructure_mass_password_update
>
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
>