Re: Mass Password/ssh Key change announcement DRAFT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Fri, Oct 07, 2011 at 10:17:35AM -0600, Kevin Fenzi wrote:
> Greetings. 
> Here's what I have so far on an announcement for the mass password
> change/ssh key change. Suggestions for improvement very welcome. In
> particular more resources we could point people to, or common questions
> you think people will come up with that we could answer would be great. 
> Also, we need to decide what exactly we do to accounts that fail to
> meet the deadline. Are we just marking them inactive? Do we have any
> way to force them to change the password and upload a new key if they
> reactivate the account? 
I think that makring inactive will work for the password change (with the
password strength hotifix, we also no longer accept the same password as the
user last had). (Off by one we can't catch though: old: "mustang1977"
this would still be accepted: "mustang1978")

New ssh key won't be caught by fas but if they repeatedly re-enable without
uploading a new ssh key, we can mark their account admin_disabled so they
have to talk to us.

Do we want to mention the specific rationale for changing both passwords and
ssh keys?  1) the recent compromised sites were Linux related.  2) as far as
disclosed the sites were attacked via compromised accounts.  3) we have no
way of knowing if any of our users/contributors had accounts on those sites
and used the same password/ssh key with agent forwarding/uploaded a private
key there.


Attachment: pgpoyHnP8sP2q.pgp
Description: PGP signature

infrastructure mailing list

[Home]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Red Hat 9 Bible]     [Fedora Bible]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]

Powered by Linux