Proposal for action: SSH Key, User Cert and Password Flag Day
seth vidal
skvidal at fedoraproject.org
Mon Sep 12 16:49:47 UTC 2011
On Mon, 2011-09-12 at 10:40 -0600, Kevin Fenzi wrote:
> Some random thoughts/considerations:
>
> * We could also change fas password requirements at this time.
> We have: https://fedorahosted.org/fedora-infrastructure/ticket/2804
> where we agreed with:
>
> - Nine or more characters with lower and upper case letters, digits and
> punctuation marks.
>
> - Ten or more characters with lower and upper case letters and digits.
>
> - Twelve or more characters with lower case letters and digits.
So - I am sure I'm not the only one who does this - but how about
mandating pass PHRASES and make the minimum length be 40 characters?
Mary_had_a_little_lamb_whose_fleece_was_white_as_snow would work just
fine and should be substantially harder to crack :)
(/me is all about making friends today, apparently)
> * user certs and passwords are pretty quick and easy to change. Some
> people may object to ssh keys being changed, so I think we need to
> present clear reasoning on it. Perhaps:
>
> "While your ssh private key is hopefully secure, we would like you to
> take this chance to generate a new one and review your passphrase, key
> size and type and consider a separate key for fedora access. In the
> event your old private key was transferred or backed up to a system you
> may no longer realize it's still stored on, a new private key will
> allow you to confirm and review it's setup and storage."
>
> * We may have some users who have email on the affected systems (ie,
> kernel.org, linux.com, etc). Should we wait for those systems to be
> back up before taking action? They should be able to login and change
> their email in fas, but they may be unaware of the need to do so.
This sounds reasonable - though perhaps we should isolate that set of
users now and give their accounts an extra scouring. :)
> * For timing, we want to make sure this won't affect maintainers too
> much working on the release. Perhaps the deadline should be F16
> release? or is that too far out?
I'd be inclined for sooner than later but <shrug>
>
> * We could also be more strict with all users in the 'sysadmin*'
> groups perhaps. Ie, a shorter timeline for them to change things. Or
> make them the only group thats required to change and just suggest to
> other groups they do so.
This sounds good.
> * Users who fail to meet the deadline would be marked 'inactive' ? What
> would they need to do to re-activate? Just login and upload a new
> key/change password?
well "login" might be hard. I suspect we just nuke their ssh keys so
they cannot login to any shell w/o first getting into the fas.
>
> * How many users do we have with ssh keys uploaded?
3728 users on fedorapeople.org
That's fpca + 1 group.
1776 on fedorahosted.org - I've not checked for overlap there,
obviously.
-sv
More information about the infrastructure
mailing list