On Fri, 14 Oct 2011 14:40:20 -0700
Toshio Kuratomi a.bad...@gmail.com wrote:
On Fri, Oct 14, 2011 at 11:13:08PM +0200, Henrik Nordström wrote:
tor 2011-10-13 klockan 12:32 -0600 skrev Kevin Fenzi:
Currently there's not a way to do this, but there really should
be.
On Fri, Oct 14, 2011 at 6:33 AM, Callum Lerwick s...@haxxed.com wrote:
On Thu, Oct 13, 2011 at 11:25 PM, Paul Wouters p...@xelerance.com wrote:
On Thu, Oct 13, 2011 at 10:55:59PM -0500, Callum Lerwick wrote:
Its the only right way to do it. As a general rule, a private ssh key
should NEVER be
On Thu, Oct 13, 2011 at 11:43 PM, drago01 drag...@gmail.com wrote:
There are people that use their keys for more than one machine. You
people make it sound like it is so easy to change keys.
It is *NOT* PERIOD.
Well if fedora infrastructure asked us to use gpg keys for ssh auth,
and we all
On Fri, Oct 14, 2011 at 2:58 AM, Jef Spaleta jspal...@gmail.com wrote:
Has anyone made any serious use of gpg subkeys as ssh auth? I've been
playing with it a little but havent fully made the jump yet.
I've looked a little at monkeysphere this morning and it looks
interesting. It'd be nice if
On Fri, Oct 14, 2011 at 8:41 AM, Jeffrey Ollie j...@ocjtech.us wrote:
I've looked a little at monkeysphere this morning and it looks
interesting. It'd be nice if at least the FI folks could publish the
host keys for the Fedora systems using monkeysphere. I plan on giving
monkeysphere a good
tor 2011-10-13 klockan 12:32 -0600 skrev Kevin Fenzi:
Currently there's not a way to do this, but there really should be.
https://fedorahosted.org/fedora-infrastructure/ticket/2977
Not even uploading an empty key file?
--
devel mailing list
devel@lists.fedoraproject.org
On Fri, Oct 14, 2011 at 11:13:08PM +0200, Henrik Nordström wrote:
tor 2011-10-13 klockan 12:32 -0600 skrev Kevin Fenzi:
Currently there's not a way to do this, but there really should be.
https://fedorahosted.org/fedora-infrastructure/ticket/2977
t
Not even uploading an empty key
On 10/12/2011 07:44 PM, Kevin Fenzi wrote:
QA:
Q: I never uploaded a ssh key to the Fedora Account System, nor am I
in a group that needs one, do I still have to upload a new one?
A: No. If you don't have a ssh public key uploaded or desire to do so,
you can just change your password.
On Wed, Oct 12, 2011 at 1:37 PM, Przemek Klosowski
przemek.klosow...@nist.gov wrote:
Length beats out larger character set, which is nicely illustrated by
the XKCD cartoon
http://imgs.xkcd.com/comics/password_strength.png
Be careful, that xkcd strip glosses over how that phrase was actually
On Wed, Oct 12, 2011 at 12:48:57PM -0700, Adam Williamson wrote:
Sure. However, if you have multiple keys with multiple passphrases, then
it's extra work to compromise each key.
Not true at all. If I keep my key(s) in a single location (a secure
machine at my home), then either all keys in
On Wed, Oct 12, 2011 at 02:59:31PM -0500, Mike McGrath wrote:
2) We've found PRIVATE keys on our servers
By all means educate these users with a large clue-stick.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog:
On 10/12/11 19:53, Adam Williamson wrote:
On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
I have no problem with changing the password, but leave my ssh keys
alone, unless there is a real reason to ask people to change them.
Reading between the lines of recent attacks, it seems likely
Tomas Mraz tm...@redhat.com writes:
And if this malicious DNS administrator controls the caching
nameserver you're using for DNS queries, he can present you ANY data
even 'valid' fake DNSSEC data.
This is not generally true. Resolver libraries can (and should, IMHO)
verify DNSSEC themselves.
On Wed, Oct 12, 2011 at 02:18:20PM -0600, Kevin Fenzi wrote:
On Wed, 12 Oct 2011 22:13:11 +0200
Tomas Mraz tm...@redhat.com wrote:
OK, but then you should not penalize also the people who keep their
SSH private keys only on safe private computers.
We're sorry if it's causing you
Hi,
Sure, ssh keys are much harder to compromise than passwords, but
_assuming a compromise has happened_ the consequences of using a single
key for everything are just as bad as using a single password for
everything.
One ssh key per project doesn't make sense at all to me. They all
On Thu, 2011-10-13 at 10:29 +0200, Benny Amorsen wrote:
Tomas Mraz tm...@redhat.com writes:
And if this malicious DNS administrator controls the caching
nameserver you're using for DNS queries, he can present you ANY data
even 'valid' fake DNSSEC data.
This is not generally true.
Hi,
What can we do there? We can't separate out those with good practices
and those without.
For starters block ssh keys found @ fedorapeople.org ?
cheers,
Gerd
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On 10/12/2011 09:59 PM, Mike McGrath wrote:
On Wed, 12 Oct 2011, Henrik Nordström wrote:
ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
Lots of people use and share keys across different projects.
There is no security issue in sharing kes across different projects,
other than that
On Thu, 2011-10-13 at 10:59 +0200, Ralf Corsepius wrote:
On 10/12/2011 09:59 PM, Mike McGrath wrote:
On Wed, 12 Oct 2011, Henrik Nordström wrote:
ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
Lots of people use and share keys across different projects.
There is no security
On 10/13/2011 11:13 AM, Tomas Mraz wrote:
On Thu, 2011-10-13 at 10:59 +0200, Ralf Corsepius wrote:
On 10/12/2011 09:59 PM, Mike McGrath wrote:
On Wed, 12 Oct 2011, Henrik Nordström wrote:
ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
Lots of people use and share keys across
On 10/13/2011 09:45 AM, Callum Lerwick wrote:
On Wed, Oct 12, 2011 at 1:37 PM, Przemek Klosowski
przemek.klosow...@nist.gov wrote:
Length beats out larger character set, which is nicely illustrated by
the XKCD cartoon
http://imgs.xkcd.com/comics/password_strength.png
Be careful, that xkcd
On Wed, 2011-10-12 at 14:37 -0400, Przemek Klosowski wrote:
On 10/12/2011 01:41 PM, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzike...@scrye.com wrote:
* Nine or more characters with lower and upper case letters, digits and
punctuation marks.
* Ten or more characters with
On Thu, 13 Oct 2011, Tomas Mraz wrote:
And if this malicious DNS administrator controls the caching
nameserver you're using for DNS queries, he can present you ANY data
even 'valid' fake DNSSEC data.
This is not generally true. Resolver libraries can (and should, IMHO)
verify DNSSEC
On Thu, 13 Oct 2011, Tomas Mraz wrote:
Nope, you do not understand what the dependency is. Of course you depend
on the DNS to not be compromised to get the IP address of the host but
you still can verify the fingerprint on the first connection if you got
it by other means.
That scales as
On Thu, 2011-10-13 at 09:12 +0100, Richard W.M. Jones wrote:
On Wed, Oct 12, 2011 at 12:48:57PM -0700, Adam Williamson wrote:
Sure. However, if you have multiple keys with multiple passphrases, then
it's extra work to compromise each key.
Not true at all. If I keep my key(s) in a single
On Thu, 2011-10-13 at 10:43 +0200, Gerd Hoffmann wrote:
Hi,
Sure, ssh keys are much harder to compromise than passwords, but
_assuming a compromise has happened_ the consequences of using a single
key for everything are just as bad as using a single password for
everything.
One ssh
On Thu, Oct 13, 2011 at 09:14:46AM +0100, Richard W.M. Jones wrote:
On Wed, Oct 12, 2011 at 02:59:31PM -0500, Mike McGrath wrote:
2) We've found PRIVATE keys on our servers
By all means educate these users with a large clue-stick.
The problem is this:
Fedora contributors are a group of
On Thu, 13 Oct 2011 10:46:01 -0400 (EDT), Paul Wouters
p...@xelerance.com said:
PW Also, trusted the AD bit without trusting the last mile violates the
PW RFC 3655 Section 3
[snip]
PW If the ssh client grabs non-localhost resolver entries and trusts the AD
PW bit, then that is a bug and
On Thu, 13 Oct 2011 10:39:03 -0700
Toshio Kuratomi a.bad...@gmail.com wrote:
...
So what are our admins to do? 1) We could ignore the issue. We have
a lot of contributors. Maybe we should just expect that some of
their accounts are going to be compromised.
Not maybe. Certainly some of
On Thu, 13 Oct 2011 09:40:59 +0300
Nicu Buculei nicu_fed...@nicubunu.ro wrote:
On 10/12/2011 07:44 PM, Kevin Fenzi wrote:
QA:
Q: I never uploaded a ssh key to the Fedora Account System, nor am I
in a group that needs one, do I still have to upload a new one?
A: No. If you don't
On Thu, Oct 13, 2011 at 2:45 AM, Callum Lerwick s...@haxxed.com wrote:
Personally I've been generating passwords with pwgen -s 12 1, or for
really important stuff (like online banking), pwgen -s 12 1.
Erk, that should be pwgen -s -y 12 for the important stuff.
Cut-and-paste fail. :(
A fully
Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
All existing users of the Fedora Account System (FAS) at
https://admin.fedoraproject.org/accounts are required to change their
password and upload a NEW ssh public key before 2011-11-30.
I have to upload a
On Thu, Oct 13, 2011 at 12:18 PM, Adam Williamson awill...@redhat.com wrote:
On Thu, 2011-10-13 at 10:43 +0200, Gerd Hoffmann wrote:
One ssh key per machine makes alot more sense. For outgoing ssh
connections from -- say -- shell.fedoraproject.org I wouldn't just copy
my private key from my
On Thu, Oct 13, 2011 at 10:55:59PM -0500, Callum Lerwick wrote:
On Thu, Oct 13, 2011 at 12:18 PM, Adam Williamson awill...@redhat.com wrote:
On Thu, 2011-10-13 at 10:43 +0200, Gerd Hoffmann wrote:
One ssh key per machine makes alot more sense. For outgoing ssh
connections from -- say --
On Thu, Oct 13, 2011 at 11:18 PM, Toshio Kuratomi a.bad...@gmail.com wrote:
On Thu, Oct 13, 2011 at 10:55:59PM -0500, Callum Lerwick wrote:
On Thu, Oct 13, 2011 at 12:18 PM, Adam Williamson awill...@redhat.com
wrote:
On Thu, 2011-10-13 at 10:43 +0200, Gerd Hoffmann wrote:
One ssh key per
On Thu, Oct 13, 2011 at 10:55:59PM -0500, Callum Lerwick wrote:
Its the only right way to do it. As a general rule, a private ssh key
should NEVER be transferred off the machine it was generated on.
Yeah, who needs backups of private keys anyways!
you have the same private key on more than
On Thu, 13 Oct 2011, Callum Lerwick wrote:
Yeah, who needs backups of private keys anyways!
We're talking about SSH keys here. There's no web of trust to lose.
Lose your keys? Generate new ones.
And contact my customers and what not to change it? Go past all the
servers i have access to with
Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Summary:
All existing users of the Fedora Account System (FAS) at
https://admin.fedoraproject.org/accounts are required to change their
password and upload a NEW ssh public key before 2011-11-30.
Failure to do so may
On Wed, 12 Oct 2011 13:30:19 -0400
Jeff Layton jlay...@redhat.com wrote:
I have a question not covered here: I just changed my ssh key a week
or two ago in the wake of the kernel.org compromise...
Is my new key sufficient? I really don't want to have to re-distribute
my key to all of the
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
All existing users of the Fedora Account System (FAS) at
https://admin.fedoraproject.org/accounts are required to change their
password and upload a NEW ssh public key before 2011-11-30.
I have to upload a *new* public key? Why
On Wed, 2011-10-12 at 11:41 -0600, Kevin Fenzi wrote:
On Wed, 12 Oct 2011 13:30:19 -0400
Jeff Layton jlay...@redhat.com wrote:
I have a question not covered here: I just changed my ssh key a week
or two ago in the wake of the kernel.org compromise...
Is my new key sufficient? I really
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
All existing users of the Fedora Account System (FAS) at
https://admin.fedoraproject.org/accounts are required to change their
password and upload a NEW ssh public key
On 10/12/2011 12:44 PM, Kevin Fenzi wrote:
Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Summary:
All existing users of the Fedora Account System (FAS) at
https://admin.fedoraproject.org/accounts are required to change their
password and upload a NEW ssh public key
On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
All existing users of the Fedora Account System (FAS) at
https://admin.fedoraproject.org/accounts are required to
On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
I have no problem with changing the password, but leave my ssh keys
alone, unless there is a real reason to ask people to change them.
Reading between the lines of recent attacks, it seems likely that
private keys compromised in some of the
On Wed, 2011-10-12 at 13:53 -0400, seth vidal wrote:
On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
All existing users of the Fedora Account System (FAS) at
On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson awill...@redhat.com wrote:
On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
I have no problem with changing the password, but leave my ssh keys
alone, unless there is a real reason to ask people to change them.
Reading between the lines of
On Wed, 12 Oct 2011, Simo Sorce wrote:
On Wed, 2011-10-12 at 11:41 -0600, Kevin Fenzi wrote:
On Wed, 12 Oct 2011 13:30:19 -0400
Jeff Layton jlay...@redhat.com wrote:
I have a question not covered here: I just changed my ssh key a week
or two ago in the wake of the kernel.org
On Wed, 2011-10-12 at 10:58 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 13:53 -0400, seth vidal wrote:
On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
All existing users of the Fedora Account System (FAS) at
https://admin.fedoraproject.org/accounts are required
On Wed, Oct 12, 2011 at 6:51 PM, Adam Williamson awill...@redhat.com wrote:
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
All existing users of the Fedora Account System (FAS) at
https://admin.fedoraproject.org/accounts
On Wed, 2011-10-12 at 10:53 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
I have no problem with changing the password, but leave my ssh keys
alone, unless there is a real reason to ask people to change them.
Reading between the lines of recent
On Wed, Oct 12, 2011 at 7:01 PM, drago01 drag...@gmail.com wrote:
On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson awill...@redhat.com wrote:
On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
I have no problem with changing the password, but leave my ssh keys
alone, unless there is a real
On 10/12/2011 02:10 PM, Peter Robinson wrote:
On Wed, Oct 12, 2011 at 6:51 PM, Adam Williamsonawill...@redhat.com wrote:
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzike...@scrye.com wrote:
All existing users of the Fedora Account System (FAS)
On Wed, 2011-10-12 at 13:04 -0500, Mike McGrath wrote:
On Wed, 12 Oct 2011, Simo Sorce wrote:
On Wed, 2011-10-12 at 11:41 -0600, Kevin Fenzi wrote:
On Wed, 12 Oct 2011 13:30:19 -0400
Jeff Layton jlay...@redhat.com wrote:
I have a question not covered here: I just changed my ssh
The password change is understandable, but why force an SSH key change
with such short notice?
And what if the SSH key is a hard token (smartcard) which can not be
copied or trivially changed? Switching to a soft key would be mostly
counter-productive from a security point of view. Now I were not
On Wed, 2011-10-12 at 13:06 -0500, Jon Ciesla wrote:
On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
All existing users of the Fedora Account System (FAS) at
2011/10/12 Henrik Nordström hen...@henriknordstrom.net:
The password change is understandable, but why force an SSH key change
with such short notice?
And what if the SSH key is a hard token (smartcard) which can not be
copied or trivially changed? Switching to a soft key would be mostly
On Wed, 2011-10-12 at 20:01 +0200, drago01 wrote:
On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson awill...@redhat.com wrote:
On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
I have no problem with changing the password, but leave my ssh keys
alone, unless there is a real reason to
On Wed, 2011-10-12 at 13:06 -0500, Jon Ciesla wrote:
On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
All existing users of the Fedora Account System (FAS) at
On Wed, Oct 12, 2011 at 8:24 PM, Adam Williamson awill...@redhat.com wrote:
On Wed, 2011-10-12 at 20:01 +0200, drago01 wrote:
On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson awill...@redhat.com wrote:
On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
I have no problem with changing the
On Wed, 2011-10-12 at 14:16 -0400, Simo Sorce wrote:
Storing a public key is not an issue, so the fact I use my key with
different projects has absolutely no bearing on my exposure, zero,
zilch. Unless I store my *private* keys on non-personal machines.
I rather suspect this is exactly what
On 10/12/2011 01:41 PM, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzike...@scrye.com wrote:
* Nine or more characters with lower and upper case letters, digits and
punctuation marks.
* Ten or more characters with lower and upper case letters and digits.
* Twelve or more
On Wed, 2011-10-12 at 13:25 -0500, Jon Ciesla wrote:
On Wed, 2011-10-12 at 13:06 -0500, Jon Ciesla wrote:
On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
On Wed, 2011-10-12 at 14:16 -0400, Simo Sorce wrote:
On Wed, 2011-10-12 at 13:04 -0500, Mike McGrath wrote:
On Wed, 12 Oct 2011, Simo Sorce wrote:
On Wed, 2011-10-12 at 11:41 -0600, Kevin Fenzi wrote:
On Wed, 12 Oct 2011 13:30:19 -0400
Jeff Layton jlay...@redhat.com wrote:
On Wed, 2011-10-12 at 13:25 -0500, Jon Ciesla wrote:
On Wed, 2011-10-12 at 13:06 -0500, Jon Ciesla wrote:
On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
On 12 October 2011 17:44, Kevin Fenzi ke...@scrye.com wrote:
ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
Lots of people use and share keys across different projects.
There is no security issue in sharing kes across different projects,
other than that it gives a strong hint that you are the same person in
both projects, much stronger than name
On Wed, 2011-10-12 at 21:07 +0200, Henrik Nordström wrote:
ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
Lots of people use and share keys across different projects.
There is no security issue in sharing kes across different projects,
Sure there is. There's the exact same problem
ons 2011-10-12 klockan 13:25 -0500 skrev Jon Ciesla:
Plus, you could have multiple
keys, all with the same passphrase, for different things, should you so
desire.
That's effectively one shared key for all. If one of them are
compromized them most likely all of them are, as the attacker
ons 2011-10-12 klockan 13:25 -0500 skrev Jon Ciesla:
Plus, you could have multiple
keys, all with the same passphrase, for different things, should you so
desire.
That's effectively one shared key for all. If one of them are
compromized them most likely all of them are, as the attacker
ons 2011-10-12 klockan 19:22 +0100 skrev Peter Robinson:
If your using a hard token you should be using a subkeys I believe and
not the root key, not sure if that's gpg or ssh or both.
subkeys is not relevant to the SSH world. That's a OpenPGP thing where
the main key should only be used for
ons 2011-10-12 klockan 12:20 -0700 skrev Adam Williamson:
Sure there is. There's the exact same problem as using the same password
across multiple projects: if someone compromises the key they have
compromised all of those projects. If you use a different key for each
project, an attacker can
Jon Ciesla l...@jcomserv.net wrote:
[...]
It's really not a huge hassle. I've already done it. I configured the
.ssh/config files where I needed to, and it doesn't conflict with any
other keys I have. I don't get what the big deal is. The disruption is,
like, five minutes of work. The
On Wed, 12 Oct 2011, Kevin Fenzi wrote:
* DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
VerifyHostKeyDNS yes)
https://bugzilla.redhat.com/show_bug.cgi?id=180277
https://bugzilla.redhat.com/show_bug.cgi?id=730558
You can't tell us to use this while at the same time refusing
On Wed, 12 Oct 2011 13:53:34 -0400
Digimer li...@alteeve.com wrote:
On 10/12/2011 12:44 PM, Kevin Fenzi wrote:
Subject: IMPORTANT: Mandatory password and ssh key change by
2011-11-30
Summary:
All existing users of the Fedora Account System (FAS) at
https://admin.fedoraproject.org
On Wed, 2011-10-12 at 12:20 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 21:07 +0200, Henrik Nordström wrote:
ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
Lots of people use and share keys across different projects.
There is no security issue in sharing kes across
On Wed, 12 Oct 2011 15:43:42 -0400 (EDT)
Paul Wouters p...@xelerance.com wrote:
On Wed, 12 Oct 2011, Kevin Fenzi wrote:
* DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
VerifyHostKeyDNS yes)
https://bugzilla.redhat.com/show_bug.cgi?id=180277
On Wed, 2011-10-12 at 21:38 +0200, Henrik Nordström wrote:
ons 2011-10-12 klockan 12:20 -0700 skrev Adam Williamson:
Sure there is. There's the exact same problem as using the same password
across multiple projects: if someone compromises the key they have
compromised all of those
On Wed, 12 Oct 2011 20:19:27 +0200
Henrik Nordström hen...@henriknordstrom.net wrote:
The password change is understandable, but why force an SSH key change
with such short notice?
Short? 1.5 months?
How long would you like?
And what if the SSH key is a hard token (smartcard) which can not
On Wed, 2011-10-12 at 15:43 -0400, Paul Wouters wrote:
On Wed, 12 Oct 2011, Kevin Fenzi wrote:
* DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
VerifyHostKeyDNS yes)
https://bugzilla.redhat.com/show_bug.cgi?id=180277
https://bugzilla.redhat.com/show_bug.cgi?id=730558
On Wed, 2011-10-12 at 21:45 +0200, Tomas Mraz wrote:
That's a nonsense. Simply said. If I have a properly generated random
ssh private key with a strong passphrase that I never put outside of my
workstations and safe backup media then there is no other way it can be
compromised than to
On Wed, 12 Oct 2011, Adam Williamson wrote:
Reading between the lines of recent attacks, it seems likely that
private keys compromised in some of the attacks were used to perform
others. (No-one's come out and officially said this yet but it seems
pretty obvious from the subtext of some of
Digimer li...@alteeve.com wrote:
[...]
The idea of maintaining a second set of keys for Fedora (and again for
any other projects that follow suit) is, I'd argue, unreasonably burdensome.
Oh, come on. It was less than 5 minutes (and I learnt a bit while at it
too). From now on, it will be
On Wed, 12 Oct 2011, Henrik Nordström wrote:
ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
Lots of people use and share keys across different projects.
There is no security issue in sharing kes across different projects,
other than that it gives a strong hint that you are the same
ons 2011-10-12 klockan 13:49 -0600 skrev Kevin Fenzi:
If you can't change your token, then I would posit you have a problem.
What if you KNEW your private key was compromised? Surely there is a
way to generate a new one...
I can change it, but it means changing it for all sytems I access
On Wed, 2011-10-12 at 14:59 -0500, Mike McGrath wrote:
On Wed, 12 Oct 2011, Henrik Nordström wrote:
ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
Lots of people use and share keys across different projects.
There is no security issue in sharing kes across different
ons 2011-10-12 klockan 13:49 -0600 skrev Kevin Fenzi:
If you can't change your token, then I would posit you have a problem.
What if you KNEW your private key was compromised? Surely there is a
way to generate a new one...
I can change it, but it means changing it for all sytems I access
On Wed, 12 Oct 2011 22:13:11 +0200
Tomas Mraz tm...@redhat.com wrote:
OK, but then you should not penalize also the people who keep their
SSH private keys only on safe private computers.
We're sorry if it's causing you inconvenience. We have no way at all to
tell apart the groups of people
On Wed, 2011-10-12 at 12:48 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 21:38 +0200, Henrik Nordström wrote:
ons 2011-10-12 klockan 12:20 -0700 skrev Adam Williamson:
Sure there is. There's the exact same problem as using the same password
across multiple projects: if someone
On Wed, 2011-10-12 at 13:49 -0600, Kevin Fenzi wrote:
On Wed, 12 Oct 2011 20:19:27 +0200
Henrik Nordström hen...@henriknordstrom.net wrote:
The password change is understandable, but why force an SSH key change
with such short notice?
Short? 1.5 months?
How long would you like?
On Wed, 2011-10-12 at 12:55 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 21:45 +0200, Tomas Mraz wrote:
That's a nonsense. Simply said. If I have a properly generated random
ssh private key with a strong passphrase that I never put outside of my
workstations and safe backup media
On Wed, 2011-10-12 at 14:18 -0600, Kevin Fenzi wrote:
On Wed, 12 Oct 2011 22:13:11 +0200
Tomas Mraz tm...@redhat.com wrote:
OK, but then you should not penalize also the people who keep their
SSH private keys only on safe private computers.
We're sorry if it's causing you
On Wed, Oct 12, 2011 at 08:19:27PM +0200, Henrik Nordström wrote:
And why is so much of the Fedora inftrastructure relying on plain text
password exchanges (within SSL, but still plain text at the Fedora
servers) when there is both HTTP digest authentication (no plaintext
seen by Fedora
On Wed, 2011-10-12 at 15:22 -0500, Mike McGrath wrote:
On Wed, 12 Oct 2011, Tomas Mraz wrote:
On Wed, 2011-10-12 at 14:59 -0500, Mike McGrath wrote:
On Wed, 12 Oct 2011, Henrik Nordström wrote:
ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
Lots of people use and
On Wed, 2011-10-12 at 22:13 +0200, Tomas Mraz wrote:
You have to remember, lots of our contributors aren't highly technical.
Some don't even know what a private key is. They just follow the docs on
the website and get access to contribute. Not everyone is a packager.
OK, but then you
On Wed, 2011-10-12 at 22:34 +0200, Tomas Mraz wrote:
Unnecessary work is kind of punishment.
BTW what prevents the people who do not care about their SSH private key
security to upload their new SSH key to a compromised system immediately
after their generate it again?
Nothing prevents them
On Wed, 2011-10-12 at 16:27 -0400, Simo Sorce wrote:
On Wed, 2011-10-12 at 12:55 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 21:45 +0200, Tomas Mraz wrote:
That's a nonsense. Simply said. If I have a properly generated random
ssh private key with a strong passphrase that I
On Wed, 2011-10-12 at 22:50 +0200, Pierre-Yves Chibon wrote:
On Wed, 2011-10-12 at 16:27 -0400, Simo Sorce wrote:
On Wed, 2011-10-12 at 12:55 -0700, Adam Williamson wrote:
On Wed, 2011-10-12 at 21:45 +0200, Tomas Mraz wrote:
That's a nonsense. Simply said. If I have a properly
Kevin Fenzi writes:
New Password Rules:
* Nine or more characters with lower and upper case letters, digits and
punctuation marks.
* Ten or more characters with lower and upper case letters and digits.
* Twelve or more characters with lower case letters and digits
* Twenty or more characters
ons 2011-10-12 klockan 14:59 -0500 skrev Mike McGrath:
1) People share keys across different projects.
Yes.
2) We've found PRIVATE keys on our servers
Which should lead to immediate account suspension, no matter if that key
is the Fedora key or some other key.
And in reality it's not
1 - 100 of 112 matches
Mail list logo
