On Fri, 14 Oct 2011 14:40:20 -0700
Toshio Kuratomi wrote:
> On Fri, Oct 14, 2011 at 11:13:08PM +0200, Henrik Nordström wrote:
> > tor 2011-10-13 klockan 12:32 -0600 skrev Kevin Fenzi:
> >
> > > Currently there's not a way to do this, but there really should
> > > be.
> > >
> > > https://fedora
On Fri, Oct 14, 2011 at 11:13:08PM +0200, Henrik Nordström wrote:
> tor 2011-10-13 klockan 12:32 -0600 skrev Kevin Fenzi:
>
> > Currently there's not a way to do this, but there really should be.
> >
> > https://fedorahosted.org/fedora-infrastructure/ticket/2977
> t
> Not even uploading an empty
tor 2011-10-13 klockan 12:32 -0600 skrev Kevin Fenzi:
> Currently there's not a way to do this, but there really should be.
>
> https://fedorahosted.org/fedora-infrastructure/ticket/2977
Not even uploading an empty key file?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.
On Fri, Oct 14, 2011 at 8:41 AM, Jeffrey Ollie wrote:
> I've looked a little at monkeysphere this morning and it looks
> interesting. It'd be nice if at least the FI folks could publish the
> host keys for the Fedora systems using monkeysphere. I plan on giving
> monkeysphere a good trial here.
On Fri, Oct 14, 2011 at 2:58 AM, Jef Spaleta wrote:
>
> Has anyone made any serious use of gpg subkeys as ssh auth? I've been
> playing with it a little but havent fully made the jump yet.
I've looked a little at monkeysphere this morning and it looks
interesting. It'd be nice if at least the FI
Hi,
>> That's kinda silly. I work on a desktop or on a laptop. When working on
>> my desktop, I really don't want to fire up my laptop just for the ssh
>> key. And adding two keys in all authorized_keys for this is kinda silly,
>> and does not add any security over the one copied key.
>
> You'r
On Thu, Oct 13, 2011 at 11:43 PM, drago01 wrote:
> There are people that use their keys for more than one machine. You
> people make it sound like it is so easy to change keys.
> It is *NOT* PERIOD.
Well if fedora infrastructure asked us to use gpg keys for ssh auth,
and we all used gpg subkey cr
On Fri, Oct 14, 2011 at 6:33 AM, Callum Lerwick wrote:
> On Thu, Oct 13, 2011 at 11:25 PM, Paul Wouters wrote:
>> On Thu, Oct 13, 2011 at 10:55:59PM -0500, Callum Lerwick wrote:
>>
>>> Its the only right way to do it. As a general rule, a private ssh key
>>> should NEVER be transferred off the ma
On Thu, 13 Oct 2011, Callum Lerwick wrote:
>> Yeah, who needs backups of private keys anyways!
>
> We're talking about SSH keys here. There's no web of trust to lose.
> Lose your keys? Generate new ones.
And contact my customers and what not to change it? Go past all the
servers i have access to
On Thu, Oct 13, 2011 at 11:25 PM, Paul Wouters wrote:
> On Thu, Oct 13, 2011 at 10:55:59PM -0500, Callum Lerwick wrote:
>
>> Its the only right way to do it. As a general rule, a private ssh key
>> should NEVER be transferred off the machine it was generated on.
>
> Yeah, who needs backups of priv
On Thu, Oct 13, 2011 at 10:55:59PM -0500, Callum Lerwick wrote:
> Its the only right way to do it. As a general rule, a private ssh key
> should NEVER be transferred off the machine it was generated on.
Yeah, who needs backups of private keys anyways!
> you have the same private key on more than
On Thu, Oct 13, 2011 at 11:18 PM, Toshio Kuratomi wrote:
> On Thu, Oct 13, 2011 at 10:55:59PM -0500, Callum Lerwick wrote:
>> On Thu, Oct 13, 2011 at 12:18 PM, Adam Williamson
>> wrote:
>> > On Thu, 2011-10-13 at 10:43 +0200, Gerd Hoffmann wrote:
>> >> One ssh key per machine makes alot more sen
On Thu, Oct 13, 2011 at 10:55:59PM -0500, Callum Lerwick wrote:
> On Thu, Oct 13, 2011 at 12:18 PM, Adam Williamson wrote:
> > On Thu, 2011-10-13 at 10:43 +0200, Gerd Hoffmann wrote:
> >> One ssh key per machine makes alot more sense. For outgoing ssh
> >> connections from -- say -- shell.fedorap
On Thu, Oct 13, 2011 at 12:18 PM, Adam Williamson wrote:
> On Thu, 2011-10-13 at 10:43 +0200, Gerd Hoffmann wrote:
>> One ssh key per machine makes alot more sense. For outgoing ssh
>> connections from -- say -- shell.fedoraproject.org I wouldn't just copy
>> my private key from my laptop but gen
Richard Hughes wrote:
> On 12 October 2011 17:44, Kevin Fenzi wrote:
>> All existing users of the Fedora Account System (FAS) at
>> https://admin.fedoraproject.org/accounts are required to change their
>> password and upload a NEW ssh public key before 2011-11-30.
>
> I have to upload a *new* pub
On Thu, Oct 13, 2011 at 2:45 AM, Callum Lerwick wrote:
> Personally I've been generating passwords with "pwgen -s 12 1", or for
> really important stuff (like online banking), "pwgen -s 12 1".
Erk, that should be "pwgen -s -y 12" for the important stuff.
Cut-and-paste fail. :(
A fully random 12
I think requiring a minium sized password that is pretty long, like maybe
15-20 or larger. The chance of somebody cracking those sized passwords would
be smaller. Also I know there was a previous issue about the Yubikey as part
of security. In my opinion requiring a 15-20 long password added with a
On Thu, 13 Oct 2011 09:40:59 +0300
Nicu Buculei wrote:
> On 10/12/2011 07:44 PM, Kevin Fenzi wrote:
> >
> > Q&A:
> >
> >
> > Q: I never uploaded a ssh key to the Fedora Account System, nor am I
> > in a group that needs one, do I still have to upload a new one?
> >
> > A: No. If you don't have a
On Thu, 13 Oct 2011 10:39:03 -0700
Toshio Kuratomi wrote:
>...
> So what are our admins to do? 1) We could ignore the issue. We have
> a lot of contributors. Maybe we should just expect that some of
> their accounts are going to be compromised.
Not maybe. Certainly some of the accounts will
> On Thu, 13 Oct 2011 10:46:01 -0400 (EDT), Paul Wouters
> said:
PW> Also, trusted the AD bit without trusting the last mile violates the
PW> RFC 3655 Section 3
[snip]
PW> If the ssh client grabs non-localhost resolver entries and trusts the AD
PW> bit, then that is a bug and should
On Thu, Oct 13, 2011 at 09:14:46AM +0100, Richard W.M. Jones wrote:
> On Wed, Oct 12, 2011 at 02:59:31PM -0500, Mike McGrath wrote:
> > 2) We've found PRIVATE keys on our servers
>
> By all means educate these users with a large clue-stick.
>
The problem is this:
Fedora contributors are a group
On Thu, 2011-10-13 at 10:43 +0200, Gerd Hoffmann wrote:
> Hi,
>
> > Sure, ssh keys are much harder to compromise than passwords, but
> > _assuming a compromise has happened_ the consequences of using a single
> > key for everything are just as bad as using a single password for
> > everything.
>
On Thu, 2011-10-13 at 09:12 +0100, Richard W.M. Jones wrote:
> On Wed, Oct 12, 2011 at 12:48:57PM -0700, Adam Williamson wrote:
> > Sure. However, if you have multiple keys with multiple passphrases, then
> > it's extra work to compromise each key.
>
> Not true at all. If I keep my key(s) in a si
On Thu, 13 Oct 2011, Tomas Mraz wrote:
> Nope, you do not understand what the dependency is. Of course you depend
> on the DNS to not be compromised to get the IP address of the host but
> you still can verify the fingerprint on the first connection if you got
> it by other means.
That scales as
On Thu, 13 Oct 2011, Tomas Mraz wrote:
>>
>>> And if this malicious DNS administrator controls the caching
>>> nameserver you're using for DNS queries, he can present you ANY data
>>> even 'valid' fake DNSSEC data.
>>
>> This is not generally true. Resolver libraries can (and should, IMHO)
>> veri
On Wed, 2011-10-12 at 14:37 -0400, Przemek Klosowski wrote:
> On 10/12/2011 01:41 PM, Richard Hughes wrote:
> > On 12 October 2011 17:44, Kevin Fenzi wrote:
> >> * Nine or more characters with lower and upper case letters, digits and
> >> punctuation marks.
> >> * Ten or more characters with low
On 10/13/2011 09:45 AM, Callum Lerwick wrote:
> On Wed, Oct 12, 2011 at 1:37 PM, Przemek Klosowski
> wrote:
>> Length beats out larger character set, which is nicely illustrated by
>> the XKCD cartoon
>>
>> http://imgs.xkcd.com/comics/password_strength.png
>
> Be careful, that xkcd strip glosses
On 10/13/2011 11:13 AM, Tomas Mraz wrote:
> On Thu, 2011-10-13 at 10:59 +0200, Ralf Corsepius wrote:
>> On 10/12/2011 09:59 PM, Mike McGrath wrote:
>>> On Wed, 12 Oct 2011, Henrik Nordström wrote:
>>>
ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
> Lots of people use and shar
On Thu, 2011-10-13 at 10:59 +0200, Ralf Corsepius wrote:
> On 10/12/2011 09:59 PM, Mike McGrath wrote:
> > On Wed, 12 Oct 2011, Henrik Nordström wrote:
> >
> >> ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
> >>
> >>> Lots of people use and share keys across different projects.
> >>
> >>
On 10/12/2011 09:59 PM, Mike McGrath wrote:
> On Wed, 12 Oct 2011, Henrik Nordström wrote:
>
>> ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
>>
>>> Lots of people use and share keys across different projects.
>>
>> There is no security issue in sharing kes across different projects,
>> ot
Hi,
> What can we do there? We can't separate out those with good practices
> and those without.
For starters block ssh keys found @ fedorapeople.org ?
cheers,
Gerd
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Thu, 2011-10-13 at 10:29 +0200, Benny Amorsen wrote:
> Tomas Mraz writes:
>
> > And if this malicious DNS administrator controls the caching
> > nameserver you're using for DNS queries, he can present you ANY data
> > even 'valid' fake DNSSEC data.
>
> This is not generally true. Resolver li
Hi,
> Sure, ssh keys are much harder to compromise than passwords, but
> _assuming a compromise has happened_ the consequences of using a single
> key for everything are just as bad as using a single password for
> everything.
One ssh key per project doesn't make sense at all to me. They all
On Wed, Oct 12, 2011 at 02:18:20PM -0600, Kevin Fenzi wrote:
> On Wed, 12 Oct 2011 22:13:11 +0200
> Tomas Mraz wrote:
>
> >
> > OK, but then you should not penalize also the people who keep their
> > SSH private keys only on safe private computers.
>
> We're sorry if it's causing you inconvenie
Tomas Mraz writes:
> And if this malicious DNS administrator controls the caching
> nameserver you're using for DNS queries, he can present you ANY data
> even 'valid' fake DNSSEC data.
This is not generally true. Resolver libraries can (and should, IMHO)
verify DNSSEC themselves. Otherwise DNSS
On 10/12/11 19:53, Adam Williamson wrote:
> On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
>
>> I have no problem with changing the password, but leave my ssh keys
>> alone, unless there is a real reason to ask people to change them.
>
> Reading between the lines of recent attacks, it seems l
On Wed, Oct 12, 2011 at 02:59:31PM -0500, Mike McGrath wrote:
> 2) We've found PRIVATE keys on our servers
By all means educate these users with a large clue-stick.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordp
On Wed, Oct 12, 2011 at 12:48:57PM -0700, Adam Williamson wrote:
> Sure. However, if you have multiple keys with multiple passphrases, then
> it's extra work to compromise each key.
Not true at all. If I keep my key(s) in a single location (a secure
machine at my home), then either all keys in th
On Wed, Oct 12, 2011 at 1:37 PM, Przemek Klosowski
wrote:
> Length beats out larger character set, which is nicely illustrated by
> the XKCD cartoon
>
> http://imgs.xkcd.com/comics/password_strength.png
Be careful, that xkcd strip glosses over how that phrase was actually
generated. If you just p
On 10/12/2011 07:44 PM, Kevin Fenzi wrote:
>
> Q&A:
>
>
> Q: I never uploaded a ssh key to the Fedora Account System, nor am I
> in a group that needs one, do I still have to upload a new one?
>
> A: No. If you don't have a ssh public key uploaded or desire to do so,
> you can just change your pass
On Wed, 12 Oct 2011 20:23:55 -0400
Orcan Ogetbil wrote:
> On Wed, Oct 12, 2011 at 12:44 PM, Kevin Fenzi wrote:
> >
> > New Password Rules:
> ...
> > * No maximum length.
> >
>
> I thought about this for a while. Is this ever possible? What kind of
> storage do we use?
Yeah, in practice there's
Once upon a time, Orcan Ogetbil said:
> On Wed, Oct 12, 2011 at 12:44 PM, Kevin Fenzi wrote:
> > New Password Rules:
> ...
> > * No maximum length.
>
> I thought about this for a while. Is this ever possible? What kind of
> storage do we use?
Yeah, I saw that too. A literal "no maximum length"
On Wed, Oct 12, 2011 at 12:44 PM, Kevin Fenzi wrote:
>
> New Password Rules:
...
> * No maximum length.
>
I thought about this for a while. Is this ever possible? What kind of
storage do we use?
Orcan
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/lis
On 10/12/2011 10:44 AM, Kevin Fenzi wrote:
> Q: How do I generate a new ssh key? How do I use it for just Fedora
> hosts?
>
> A: See http://fedoraproject.org/wiki/Cryptography and use a
> ~/.ssh/config file to match fedoraproject.org hosts for that key.
So just a message to say, thanks for the ins
On Wed, 12 Oct 2011 19:20:54 -0400
Bernd Stramm wrote:
> I for one am fairly certain that the folks who left their private
> keys on public systems will do that again, fairly quickly.
I'm not so sure. I hope some of them will take a minute to read and
follow best practices.
> I am also
> fair
On Wed, 12 Oct 2011 16:40:07 -0400
seth vidal wrote:
> On Wed, 2011-10-12 at 22:34 +0200, Tomas Mraz wrote:
> > Unnecessary work is kind of punishment.
> >
> > BTW what prevents the people who do not care about their SSH
> > private key security to upload their new SSH key to a compromised
> > s
On Wed, 2011-10-12 at 18:17 -0400, Paul Wouters wrote:
> On Wed, 12 Oct 2011, Tomas Mraz wrote:
>
> > Except nobody says or said that DNS without DNSSEC leads to the
> > automatic connection with such setting.
>
> I answered that multiple times, including today with a vast amount of screen
> pa
On Wed, 12 Oct 2011, Tomas Mraz wrote:
> Except nobody says or said that DNS without DNSSEC leads to the
> automatic connection with such setting.
I answered that multiple times, including today with a vast amount of screen
pasting
into https://bugzilla.redhat.com/show_bug.cgi?id=180277 to show
On Wed, 2011-10-12 at 16:27 -0400, Simo Sorce wrote:
> Sorry Adam but this is BS, if your laptop is stolen you MUST replace all
> your keys anyways because you cannot count on them not being
> compromised, period. So this complex scenario is just mirrors and smoke.
It's an example of a situation
On Wed, 2011-10-12 at 17:41 -0400, Sam Varshavchik wrote:
> Kevin Fenzi writes:
>
> > New Password Rules:
> >
> > * Nine or more characters with lower and upper case letters, digits and
> > punctuation marks.
> > * Ten or more characters with lower and upper case letters and digits.
> > * Twelv
ons 2011-10-12 klockan 15:15 -0500 skrev Jon Ciesla:
> Well, no, actually it just means you just need to use a different key for
> Fedora. There's no reason you can't keep using that key everywhere else
> you're using it.
Sure I could buy another token just for fedora, just don't see what it
wou
On Wed, Oct 12, 2011 at 05:41:33PM -0400, Sam Varshavchik wrote:
> Guess how many people will have their password set to
> "abcdefghijklmnopqrstuvwxyz".
> It meets the new criteria.
And is much better than "abcdefgh" which was their old pwd.
--
sven === jabber/xmpp: s...@lankes.net
--
devel m
ons 2011-10-12 klockan 14:59 -0500 skrev Mike McGrath:
> 1) People share keys across different projects.
Yes.
> 2) We've found PRIVATE keys on our servers
Which should lead to immediate account suspension, no matter if that key
is the Fedora key or some other key.
And in reality it's not relat
Kevin Fenzi writes:
New Password Rules:
* Nine or more characters with lower and upper case letters, digits and
punctuation marks.
* Ten or more characters with lower and upper case letters and digits.
* Twelve or more characters with lower case letters and digits
* Twenty or more characters
On Wed, 2011-10-12 at 22:50 +0200, Pierre-Yves Chibon wrote:
> On Wed, 2011-10-12 at 16:27 -0400, Simo Sorce wrote:
> > On Wed, 2011-10-12 at 12:55 -0700, Adam Williamson wrote:
> > > On Wed, 2011-10-12 at 21:45 +0200, Tomas Mraz wrote:
> > >
> > > > That's a nonsense. Simply said. If I have a pr
On Wed, 2011-10-12 at 16:27 -0400, Simo Sorce wrote:
> On Wed, 2011-10-12 at 12:55 -0700, Adam Williamson wrote:
> > On Wed, 2011-10-12 at 21:45 +0200, Tomas Mraz wrote:
> >
> > > That's a nonsense. Simply said. If I have a properly generated random
> > > ssh private key with a strong passphrase t
On Wed, 2011-10-12 at 22:34 +0200, Tomas Mraz wrote:
> Unnecessary work is kind of punishment.
>
> BTW what prevents the people who do not care about their SSH private key
> security to upload their new SSH key to a compromised system immediately
> after their generate it again?
Nothing prevents
On Wed, 2011-10-12 at 22:13 +0200, Tomas Mraz wrote:
> >
> > You have to remember, lots of our contributors aren't highly technical.
> > Some don't even know what a private key is. They just follow the docs on
> > the website and get access to contribute. Not everyone is a packager.
>
> OK, but
On Wed, 2011-10-12 at 15:22 -0500, Mike McGrath wrote:
> On Wed, 12 Oct 2011, Tomas Mraz wrote:
>
> > On Wed, 2011-10-12 at 14:59 -0500, Mike McGrath wrote:
> > > On Wed, 12 Oct 2011, Henrik Nordström wrote:
> > >
> > > > ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
> > > >
> > > > > Lo
On Wed, Oct 12, 2011 at 08:19:27PM +0200, Henrik Nordström wrote:
>
> And why is so much of the Fedora inftrastructure relying on plain text
> password exchanges (within SSL, but still plain text at the Fedora
> servers) when there is both HTTP digest authentication (no plaintext
> seen by Fedora
On Wed, 2011-10-12 at 14:18 -0600, Kevin Fenzi wrote:
> On Wed, 12 Oct 2011 22:13:11 +0200
> Tomas Mraz wrote:
>
> >
> > OK, but then you should not penalize also the people who keep their
> > SSH private keys only on safe private computers.
>
> We're sorry if it's causing you inconvenience. We
On Wed, 2011-10-12 at 12:55 -0700, Adam Williamson wrote:
> On Wed, 2011-10-12 at 21:45 +0200, Tomas Mraz wrote:
>
> > That's a nonsense. Simply said. If I have a properly generated random
> > ssh private key with a strong passphrase that I never put outside of my
> > workstations and safe backup
On Wed, 2011-10-12 at 13:49 -0600, Kevin Fenzi wrote:
> On Wed, 12 Oct 2011 20:19:27 +0200
> Henrik Nordström wrote:
>
> > The password change is understandable, but why force an SSH key change
> > with such short notice?
>
> Short? 1.5 months?
>
> How long would you like?
>
> > And what if t
On Wed, 12 Oct 2011, Tomas Mraz wrote:
> On Wed, 2011-10-12 at 14:59 -0500, Mike McGrath wrote:
> > On Wed, 12 Oct 2011, Henrik Nordström wrote:
> >
> > > ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
> > >
> > > > Lots of people use and share keys across different projects.
> > >
> > > T
On Wed, 2011-10-12 at 12:48 -0700, Adam Williamson wrote:
> On Wed, 2011-10-12 at 21:38 +0200, Henrik Nordström wrote:
> > ons 2011-10-12 klockan 12:20 -0700 skrev Adam Williamson:
> >
> > > Sure there is. There's the exact same problem as using the same password
> > > across multiple projects: if
On Wed, 12 Oct 2011 22:13:11 +0200
Tomas Mraz wrote:
>
> OK, but then you should not penalize also the people who keep their
> SSH private keys only on safe private computers.
We're sorry if it's causing you inconvenience. We have no way at all to
tell apart the groups of people who understand
> ons 2011-10-12 klockan 13:49 -0600 skrev Kevin Fenzi:
>
>> If you can't change your token, then I would posit you have a problem.
>> What if you KNEW your private key was compromised? Surely there is a
>> way to generate a new one...
>
> I can change it, but it means changing it for all sytems I
On Wed, 2011-10-12 at 14:59 -0500, Mike McGrath wrote:
> On Wed, 12 Oct 2011, Henrik Nordström wrote:
>
> > ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
> >
> > > Lots of people use and share keys across different projects.
> >
> > There is no security issue in sharing kes across differ
ons 2011-10-12 klockan 13:49 -0600 skrev Kevin Fenzi:
> If you can't change your token, then I would posit you have a problem.
> What if you KNEW your private key was compromised? Surely there is a
> way to generate a new one...
I can change it, but it means changing it for all sytems I access u
On Wed, 12 Oct 2011, Henrik Nordström wrote:
> ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
>
> > Lots of people use and share keys across different projects.
>
> There is no security issue in sharing kes across different projects,
> other than that it gives a strong hint that you are th
Digimer wrote:
[...]
> The idea of maintaining a second set of keys for Fedora (and again for
> any other projects that follow suit) is, I'd argue, unreasonably burdensome.
Oh, come on. It was less than 5 minutes (and I learnt a bit while at it
too). From now on, it will be handled automagical
On Wed, 12 Oct 2011, Adam Williamson wrote:
> Reading between the lines of recent attacks, it seems likely that
> private keys compromised in some of the attacks were used to perform
> others. (No-one's come out and officially said this yet but it seems
> pretty obvious from the subtext of some of
On Wed, 2011-10-12 at 21:45 +0200, Tomas Mraz wrote:
> That's a nonsense. Simply said. If I have a properly generated random
> ssh private key with a strong passphrase that I never put outside of my
> workstations and safe backup media then there is no other way it can be
> compromised than to com
On Wed, 2011-10-12 at 15:43 -0400, Paul Wouters wrote:
> On Wed, 12 Oct 2011, Kevin Fenzi wrote:
>
> > * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
> > "VerifyHostKeyDNS yes")
>
> https://bugzilla.redhat.com/show_bug.cgi?id=180277
> https://bugzilla.redhat.com/show_bug.cgi
On Wed, 12 Oct 2011 20:19:27 +0200
Henrik Nordström wrote:
> The password change is understandable, but why force an SSH key change
> with such short notice?
Short? 1.5 months?
How long would you like?
> And what if the SSH key is a hard token (smartcard) which can not be
> copied or triviall
On Wed, 2011-10-12 at 21:38 +0200, Henrik Nordström wrote:
> ons 2011-10-12 klockan 12:20 -0700 skrev Adam Williamson:
>
> > Sure there is. There's the exact same problem as using the same password
> > across multiple projects: if someone compromises the key they have
> > compromised all of those
On Wed, 12 Oct 2011 15:43:42 -0400 (EDT)
Paul Wouters wrote:
> On Wed, 12 Oct 2011, Kevin Fenzi wrote:
>
> > * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
> > "VerifyHostKeyDNS yes")
>
> https://bugzilla.redhat.com/show_bug.cgi?id=180277
> https://bugzilla.redhat.com/show_
On Wed, 2011-10-12 at 12:20 -0700, Adam Williamson wrote:
> On Wed, 2011-10-12 at 21:07 +0200, Henrik Nordström wrote:
> > ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
> >
> > > Lots of people use and share keys across different projects.
> >
> > There is no security issue in sharing k
On Wed, 12 Oct 2011 13:53:34 -0400
Digimer wrote:
> On 10/12/2011 12:44 PM, Kevin Fenzi wrote:
> > Subject: IMPORTANT: Mandatory password and ssh key change by
> > 2011-11-30
> >
> > Summary:
> >
> > All existing users of the Fedora Account System (FAS)
On Wed, 12 Oct 2011, Kevin Fenzi wrote:
> * DO verify ssh host keys via dnssec protected dns. ( .ssh/config:
> "VerifyHostKeyDNS yes")
https://bugzilla.redhat.com/show_bug.cgi?id=180277
https://bugzilla.redhat.com/show_bug.cgi?id=730558
You can't tell us to use this while at the same time refus
Jon Ciesla wrote:
[...]
> It's really not a huge hassle. I've already done it. I configured the
> .ssh/config files where I needed to, and it doesn't conflict with any
> other keys I have. I don't get what the big deal is. The disruption is,
> like, five minutes of work. The potential benef
ons 2011-10-12 klockan 12:20 -0700 skrev Adam Williamson:
> Sure there is. There's the exact same problem as using the same password
> across multiple projects: if someone compromises the key they have
> compromised all of those projects. If you use a different key for each
> project, an attacker
ons 2011-10-12 klockan 19:22 +0100 skrev Peter Robinson:
> If your using a hard token you should be using a subkeys I believe and
> not the root key, not sure if that's gpg or ssh or both.
subkeys is not relevant to the SSH world. That's a OpenPGP thing where
the main key should only be used for
> ons 2011-10-12 klockan 13:25 -0500 skrev Jon Ciesla:
>
>> Plus, you could have multiple
>> keys, all with the same passphrase, for different things, should you so
>> desire.
>
> That's effectively one shared key for all. If one of them are
> compromized them most likely all of them are, as the
ons 2011-10-12 klockan 13:25 -0500 skrev Jon Ciesla:
> Plus, you could have multiple
> keys, all with the same passphrase, for different things, should you so
> desire.
That's effectively one shared key for all. If one of them are
compromized them most likely all of them are, as the attacker cle
On Wed, 2011-10-12 at 21:07 +0200, Henrik Nordström wrote:
> ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
>
> > Lots of people use and share keys across different projects.
>
> There is no security issue in sharing kes across different projects,
Sure there is. There's the exact same pr
ons 2011-10-12 klockan 13:04 -0500 skrev Mike McGrath:
> Lots of people use and share keys across different projects.
There is no security issue in sharing kes across different projects,
other than that it gives a strong hint that you are the same person in
both projects, much stronger than name
> On Wed, 2011-10-12 at 13:25 -0500, Jon Ciesla wrote:
>> > On Wed, 2011-10-12 at 13:06 -0500, Jon Ciesla wrote:
>> >> > On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
>> >> >> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
>> >> >> > On 12 October 2011 17:44, Kevin Fenzi wro
On Wed, 2011-10-12 at 14:16 -0400, Simo Sorce wrote:
> On Wed, 2011-10-12 at 13:04 -0500, Mike McGrath wrote:
> > On Wed, 12 Oct 2011, Simo Sorce wrote:
> >
> > > On Wed, 2011-10-12 at 11:41 -0600, Kevin Fenzi wrote:
> > > > On Wed, 12 Oct 2011 13:30:19 -0400
> > > > Jeff Layton wrote:
> > > >
>
On Wed, 2011-10-12 at 13:25 -0500, Jon Ciesla wrote:
> > On Wed, 2011-10-12 at 13:06 -0500, Jon Ciesla wrote:
> >> > On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
> >> >> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
> >> >> > On 12 October 2011 17:44, Kevin Fenzi wrote:
> >
On 10/12/2011 01:41 PM, Richard Hughes wrote:
> On 12 October 2011 17:44, Kevin Fenzi wrote:
>> * Nine or more characters with lower and upper case letters, digits and
>> punctuation marks.
>> * Ten or more characters with lower and upper case letters and digits.
>> * Twelve or more characters w
On Wed, 2011-10-12 at 14:16 -0400, Simo Sorce wrote:
> Storing a public key is not an issue, so the fact I use my key with
> different projects has absolutely no bearing on my exposure, zero,
> zilch. Unless I store my *private* keys on non-personal machines.
I rather suspect this is exactly what
On Wed, Oct 12, 2011 at 8:24 PM, Adam Williamson wrote:
> On Wed, 2011-10-12 at 20:01 +0200, drago01 wrote:
>> On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson wrote:
>> > On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
>> >
>> >> I have no problem with changing the password, but leave my ss
> On Wed, 2011-10-12 at 13:06 -0500, Jon Ciesla wrote:
>> > On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
>> >> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
>> >> > On 12 October 2011 17:44, Kevin Fenzi wrote:
>> >> > > All existing users of the Fedora Account System (FAS)
On Wed, 2011-10-12 at 20:01 +0200, drago01 wrote:
> On Wed, Oct 12, 2011 at 7:53 PM, Adam Williamson wrote:
> > On Wed, 2011-10-12 at 13:45 -0400, Simo Sorce wrote:
> >
> >> I have no problem with changing the password, but leave my ssh keys
> >> alone, unless there is a real reason to ask people
2011/10/12 Henrik Nordström :
> The password change is understandable, but why force an SSH key change
> with such short notice?
>
> And what if the SSH key is a hard token (smartcard) which can not be
> copied or trivially changed? Switching to a soft key would be mostly
> counter-productive from
On Wed, 2011-10-12 at 13:06 -0500, Jon Ciesla wrote:
> > On Wed, 2011-10-12 at 10:51 -0700, Adam Williamson wrote:
> >> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
> >> > On 12 October 2011 17:44, Kevin Fenzi wrote:
> >> > > All existing users of the Fedora Account System (FAS) at
> >
The password change is understandable, but why force an SSH key change
with such short notice?
And what if the SSH key is a hard token (smartcard) which can not be
copied or trivially changed? Switching to a soft key would be mostly
counter-productive from a security point of view. Now I were not
On Wed, 2011-10-12 at 13:04 -0500, Mike McGrath wrote:
> On Wed, 12 Oct 2011, Simo Sorce wrote:
>
> > On Wed, 2011-10-12 at 11:41 -0600, Kevin Fenzi wrote:
> > > On Wed, 12 Oct 2011 13:30:19 -0400
> > > Jeff Layton wrote:
> > >
> > > > I have a question not covered here: I just changed my ssh key
On 10/12/2011 02:10 PM, Peter Robinson wrote:
> On Wed, Oct 12, 2011 at 6:51 PM, Adam Williamson wrote:
>> On Wed, 2011-10-12 at 18:41 +0100, Richard Hughes wrote:
>>> On 12 October 2011 17:44, Kevin Fenzi wrote:
All existing users of the Fedora Account System (FAS) at
https://admin.fed
1 - 100 of 116 matches
Mail list logo