Mass Password/ssh Key change announcement DRAFT
Kevin Fenzi
kevin at scrye.com
Mon Oct 10 16:11:44 UTC 2011
On Mon, 10 Oct 2011 09:00:11 -0700
Toshio Kuratomi <a.badger at gmail.com> wrote:
> I think that makring inactive will work for the password change (with
> the password strength hotifix, we also no longer accept the same
> password as the user last had). (Off by one we can't catch though:
> old: "mustang1977" this would still be accepted: "mustang1978")
So, when someone is 'inactive' they can login with their old password,
but it will ask them to change it then?
> New ssh key won't be caught by fas but if they repeatedly re-enable
> without uploading a new ssh key, we can mark their account
> admin_disabled so they have to talk to us.
Yeah, we can continue to run checks periodically I guess.
> Do we want to mention the specific rationale for changing both
> passwords and ssh keys? 1) the recent compromised sites were Linux
> related. 2) as far as disclosed the sites were attacked via
> compromised accounts. 3) we have no way of knowing if any of our
> users/contributors had accounts on those sites and used the same
> password/ssh key with agent forwarding/uploaded a private key there.
yeah, we can... let me see if I can figure out how to word that/add it,
and I will send a new draft out in a few.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20111010/bc9c3029/attachment.bin
More information about the infrastructure
mailing list