On Tue, 2008-08-19 at 10:27 -0500, Jon Ciesla wrote:
> > On Tue, 2008-08-19 at 09:11 -0500, Jon Ciesla wrote:
> >
> >> BTW, I suspect if you were already using an RSA key, you could just
> >> re-upload the same public key and bob's your uncle.
> >
> > Been there, done that and Bob still isn't my uncle (empty
> > promises...) ;-).
>
> Hmm. Strange. Bob is my (albeit late) uncle. What does rpm -qi father
> give you?

Funny enough I have to admit that my father's name is "Robert" as is my
middle one (hey, I'm innocent on that one). Neither of us answers to
"Bob", though.

Nils
--
Nils Philippsen "Those who would give up Essential Liberty to purchase
Red Hat a little Temporary Safety, deserve neither Liberty
nils@redhat.com nor Safety." -- Benjamin Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

2008/8/19 Felix Schwarz <felix.schwarz@oss.schwarz.eu>:
> Patrice Dumas schrieb:
>>
>> I just received the reset password mail, and it asks me to reset my ssh
>> key by doing ssh-keygen. However, if I recall well I only uploaded my public
>> key to the fedora server. Why would I want to reset my key pair?
>
> #fedora-admin:
> (17:40:55) mmcgrath: mpdehaan: well, couple of reasons.
> (17:41:16) mmcgrath: mpdehaan: 1) we removed all the keys as an affective
> way of disabling access everywhere while we're working
> (17:41:42) mmcgrath: and 2) we decided it wasn't a bad idea to have people
> fix it on their own, it helps with stuff like pruning, etc.

So, does this mean we can re-upload the *same* public key as before,
or do we need to generate a new one?

MEF

--
Mary Ellen Foster -- http://homepages.inf.ed.ac.uk/mef/
Informatik 6: Robotics and Embedded Systems, Technische Universität München
and ICCS, School of Informatics, University of Edinburgh

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Ralf Ertzinger wrote:

> On Tue, 19 Aug 2008 11:32:14 -0400, Simo Sorce wrote:
>
>> DSA keys can be compromised if the server you connect to is
>> compromised. See discussions about the recent openssl debacle for
>> debian.
>
> Which kind of invalidates the whole "public key" concept, doesn't it?
>
> Not wanting to start a new discussion about this, but the fact that
> (some) debian-created keys were weak (and thus crackable) wasn't the
> servers fault, but the fault of the client that generated the key in
> the first place (unless I'm getting something seriously wrong).

It's worse than that: the security of ElGamal encryption depends on
a strong random number to be generated for every message, not just when
the public key is first generated.

Andrew.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Felix Schwarz wrote:

Patrice Dumas schrieb:
I just received the reset password mail, and it asks me to reset my
ssh key by doing ssh-keygen. However, if I recall well I only uploaded
my public key to the fedora server. Why would I want to reset my key
pair?


#fedora-admin:
(17:40:55) mmcgrath: mpdehaan: well, couple of reasons.
(17:41:16) mmcgrath: mpdehaan: 1) we removed all the keys as an
affective way of disabling access everywhere while we're working
(17:41:42) mmcgrath: and 2) we decided it wasn't a bad idea to have
people fix it on their own, it helps with stuff like pruning, etc.



I'm going to add a tiny bit to this:

3) The Account System code will prevent you from uploading a DSA key.
So if your key was DSA, you'll have to generate an RSA key and upload
that. This is due to the fact that we haven't found a 100% accurate way
to find all DSA keys generated by the eak-Debian-random-number-packages.


4) If you uploaded your ssh private key to a Fedora Infrastructure
server, for instance, because you were sshing between publictest
machines, you should replace your key as a precaution just as we are
asking you to replace your passwords.


-Toshio

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Tue, 2008-08-19 at 10:40 -0500, Jon Ciesla wrote:
> > Hi.
> >
> > On Tue, 19 Aug 2008 11:32:14 -0400, Simo Sorce wrote:
> >
> >> DSA keys can be compromised if the server you connect to is
> >> compromised. See discussions about the recent openssl debacle for
> >> debian.
> >
> > Which kind of invalidates the whole "public key" concept, doesn't it?
>
> Yup.
>
> > Not wanting to start a new discussion about this, but the fact that
> > (some) debian-created keys were weak (and thus crackable) wasn't the
> > servers fault, but the fault of the client that generated the key in
> > the first place (unless I'm getting something seriously wrong).
>
> Correct. It was also server keys, but that wouldn't compromise your own
> client key, just the security of the server's key. To crack the
> encryption, you still need wither the private key or a lot of time and PCU
> cycles. The debian issue simply reduced the number of CPU cycles.

As far as I know a compromised server key can make it much easier to
compromise a client key if this key is DSA.

I know no more crypto details, someone that knows them could comment
further.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has anyone been able to actually upload their RSA key? I reset my password
easily enough, but now I keep getting 500 internal errors when I try to upload
my RSA public key (at
https://admin.fedoraproject.org/accounts/user/edit/myusername). And I've been
getting these 500s for a little while now, so I thought I'd ask.

- --
J. Randall Owens | http://www.ghiapet.net/
ProofReading Markup Language | http://prml.sourceforge.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkirKpYACgkQdGy7nCl1Vp9FTACgs+U54ZF3GZ B6bAAbznnWndcK
w1wAnRembPKqJdLFkLUYT+EnLNvwSLCE
=TYao
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Tue, Aug 19, 2008 at 01:18:37PM -0700, J. Randall Owens wrote:
> Has anyone been able to actually upload their RSA key? I reset my password
> easily enough, but now I keep getting 500 internal errors when I try to upload
> my RSA public key (at
> https://admin.fedoraproject.org/accounts/user/edit/myusername). And I've been
> getting these 500s for a little while now, so I thought I'd ask.

Uploading my RSA key worked fine for me about 18 hours ago
at around 2008-08-19 01:57 UTC.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

J. Randall Owens wrote:

Has anyone been able to actually upload their RSA key? I reset my password
easily enough, but now I keep getting 500 internal errors when I try to
upload

my RSA public key (at
https://admin.fedoraproject.org/accounts/user/edit/myusername). And
I've been

getting these 500s for a little while now, so I thought I'd ask.

I looked through the logs and see that there was an error message
regarding latitude and longitude when saving your information. Latitude
and longitude use isn't very well tested ATM, but I know that plain
integers work. If you are putting lat/long into the system, could you
use those for now?


if it still doesn't work, reply and i'll take another look.

-Toshio

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Tuesday 19 August 2008 21:28:33 Dale Stimson wrote:
> On Tue, Aug 19, 2008 at 01:18:37PM -0700, J. Randall Owens wrote:
> > Has anyone been able to actually upload their RSA key? I reset my
> > password easily enough, but now I keep getting 500 internal errors when I
> > try to upload my RSA public key (at
> > https://admin.fedoraproject.org/accounts/user/edit/myusername). And I've
> > been getting these 500s for a little while now, so I thought I'd ask.
>
> Uploading my RSA key worked fine for me about 18 hours ago
> at around 2008-08-19 01:57 UTC.

It worked for me at around 17:00 UTC but now when I try to update my latitude
and longitude it fails with the same 500's that the OP gets.

--
José Abílio

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Toshio Kuratomi wrote:
| J. Randall Owens wrote:
|> Has anyone been able to actually upload their RSA key? I reset my
|> password
|> easily enough, but now I keep getting 500 internal errors when I try
|> to upload
|> my RSA public key (at
|> https://admin.fedoraproject.org/accounts/user/edit/myusername). And
|> I've been
|> getting these 500s for a little while now, so I thought I'd ask.
|>
| I looked through the logs and see that there was an error message
| regarding latitude and longitude when saving your information. Latitude
| and longitude use isn't very well tested ATM, but I know that plain
| integers work. If you are putting lat/long into the system, could you
| use those for now?
|
| if it still doesn't work, reply and i'll take another look.
|
| -Toshio
|

OK, I had already tried deleting the lat/long info, thinking it might be
something like that, but I'd guess it still considered it modified, and tried
sending empty lat/long info, which still caused the 500 I saw. After a
completely fresh start, uploading works for me now.

- --
J. Randall Owens | http://www.ghiapet.net/
ProofReading Markup Language | http://prml.sourceforge.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkirM/EACgkQdGy7nCl1Vp+qwgCgqMiqLyPOxQKA3oKwcQ3nKFMT
/kUAnjOCynT5LOz3KENQf9qo6HU5cSkC
=Pt8n
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list