Proposal for action: SSH Key, User Cert and Password Flag Day

Mon Sep 12 16:49:47 UTC 2011

On Mon, 2011-09-12 at 10:40 -0600, Kevin Fenzi wrote:

> Some random thoughts/considerations: 
> 
> * We could also change fas password requirements at this time. 
> We have: https://fedorahosted.org/fedora-infrastructure/ticket/2804
> where we agreed with: 
> 
> - Nine or more characters with lower and upper case letters, digits and
>   punctuation marks.
> 
> - Ten or more characters with lower and upper case letters and digits.
> 
> - Twelve or more characters with lower case letters and digits.

So - I am sure I'm not the only one who does this - but how about
mandating pass PHRASES and make the minimum length be 40 characters?

Mary_had_a_little_lamb_whose_fleece_was_white_as_snow would work just
fine and should be substantially harder to crack :)
(/me is all about making friends today, apparently)

> * user certs and passwords are pretty quick and easy to change. Some
>   people may object to ssh keys being changed, so I think we need to
>   present clear reasoning on it. Perhaps: 
> 
> "While your ssh private key is hopefully secure, we would like you to
> take this chance to generate a new one and review your passphrase, key
> size and type and consider a separate key for fedora access. In the
> event your old private key was transferred or backed up to a system you
> may no longer realize it's still stored on, a new private key will
> allow you to confirm and review it's setup and storage."
> 
> * We may have some users who have email on the affected systems (ie,
>   kernel.org, linux.com, etc). Should we wait for those systems to be
>   back up before taking action? They should be able to login and change
>   their email in fas, but they may be unaware of the need to do so. 

This sounds reasonable - though perhaps we should isolate that set of
users now and give their accounts an extra scouring. :)

> * For timing, we want to make sure this won't affect maintainers too
>   much working on the release. Perhaps the deadline should be F16
>   release? or is that too far out? 

I'd be inclined for sooner than later but <shrug>

> 
> * We could also be more strict with all users in the 'sysadmin*'
>   groups perhaps. Ie, a shorter timeline for them to change things. Or
>   make them the only group thats required to change and just suggest to
>   other groups they do so. 

This sounds good.

> * Users who fail to meet the deadline would be marked 'inactive' ? What
>   would they need to do to re-activate? Just login and upload a new
>   key/change password? 

well "login" might be hard. I suspect we just nuke their ssh keys so
they cannot login to any shell w/o first getting into the fas.

> 
> * How many users do we have with ssh keys uploaded?

3728 users on fedorapeople.org

That's fpca + 1 group.

1776 on fedorahosted.org - I've not checked for overlap there,
obviously.

-sv