FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 08-19-2008, 02:04 PM
Patrice Dumas
 
Default reset ssh keys, even if only a public key in fedora?

Hello,

I just received the reset password mail, and it asks me to reset my ssh
key by doing ssh-keygen. However, if I recall well I only uploaded my
public key to the fedora server. Why would I want to reset my key pair?

Maybe I am not one of the users who should reset their key, but I am
almost sure that I sent the public key to the fedora server, and it
seems to me that it is used for cvs access. So it is unclear if
I 'do not use a SSH key in the Fedora Account System'.

Am I missing something? Can anybody clarify?

--
Pat

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-19-2008, 02:09 PM
"Jon Ciesla"
 
Default reset ssh keys, even if only a public key in fedora?

> Hello,
>
> I just received the reset password mail, and it asks me to reset my ssh
> key by doing ssh-keygen. However, if I recall well I only uploaded my
> public key to the fedora server. Why would I want to reset my key pair?
>
> Maybe I am not one of the users who should reset their key, but I am
> almost sure that I sent the public key to the fedora server, and it
> seems to me that it is used for cvs access. So it is unclear if
> I 'do not use a SSH key in the Fedora Account System'.
>
> Am I missing something? Can anybody clarify?

I wasn't sure about that, but when I tried to upload my old DSS key, it
demanded an RSA key. Plus, my old FAS password was 6 digits, and now it
wants 8. Some security hardening is definitely going on.

And is to be applauded. BTW, a shout out and mad props to the
Infrastructure team and all others involved.

> --
> Pat
>
> --
> fedora-devel-list mailing list
> fedora-devel-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>


--
novus ordo absurdum

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-19-2008, 02:11 PM
"Jon Ciesla"
 
Default reset ssh keys, even if only a public key in fedora?

>
>> Hello,
>>
>> I just received the reset password mail, and it asks me to reset my ssh
>> key by doing ssh-keygen. However, if I recall well I only uploaded my
>> public key to the fedora server. Why would I want to reset my key pair?
>>
>> Maybe I am not one of the users who should reset their key, but I am
>> almost sure that I sent the public key to the fedora server, and it
>> seems to me that it is used for cvs access. So it is unclear if
>> I 'do not use a SSH key in the Fedora Account System'.
>>
>> Am I missing something? Can anybody clarify?
>
> I wasn't sure about that, but when I tried to upload my old DSS key, it
> demanded an RSA key. Plus, my old FAS password was 6 digits, and now it
> wants 8. Some security hardening is definitely going on.

BTW, I suspect if you were already using an RSA key, you could just
re-upload the same public key and bob's your uncle.

> And is to be applauded. BTW, a shout out and mad props to the
> Infrastructure team and all others involved.
>
>> --
>> Pat
>>
>> --
>> fedora-devel-list mailing list
>> fedora-devel-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>>
>
>
> --
> novus ordo absurdum
>
> --
> fedora-devel-list mailing list
> fedora-devel-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>


--
novus ordo absurdum

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-19-2008, 02:59 PM
Nils Philippsen
 
Default reset ssh keys, even if only a public key in fedora?

On Tue, 2008-08-19 at 09:11 -0500, Jon Ciesla wrote:

> BTW, I suspect if you were already using an RSA key, you could just
> re-upload the same public key and bob's your uncle.

Been there, done that and Bob still isn't my uncle (empty
promises...) ;-).

Nils
--
Nils Philippsen "Those who would give up Essential Liberty to purchase
Red Hat a little Temporary Safety, deserve neither Liberty
nils@redhat.com nor Safety." -- Benjamin Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-19-2008, 03:27 PM
"Jon Ciesla"
 
Default reset ssh keys, even if only a public key in fedora?

> On Tue, 2008-08-19 at 09:11 -0500, Jon Ciesla wrote:
>
>> BTW, I suspect if you were already using an RSA key, you could just
>> re-upload the same public key and bob's your uncle.
>
> Been there, done that and Bob still isn't my uncle (empty
> promises...) ;-).

Hmm. Strange. Bob is my (albeit late) uncle. What does rpm -qi father
give you?

> Nils
> --
> Nils Philippsen "Those who would give up Essential Liberty to
> purchase
> Red Hat a little Temporary Safety, deserve neither Liberty
> nils@redhat.com nor Safety." -- Benjamin Franklin, 1759
> PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
>


--
novus ordo absurdum

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-19-2008, 03:32 PM
Simo Sorce
 
Default reset ssh keys, even if only a public key in fedora?

On Tue, 2008-08-19 at 16:04 +0200, Patrice Dumas wrote:
> Hello,
>
> I just received the reset password mail, and it asks me to reset my ssh
> key by doing ssh-keygen. However, if I recall well I only uploaded my
> public key to the fedora server. Why would I want to reset my key pair?
>
> Maybe I am not one of the users who should reset their key, but I am
> almost sure that I sent the public key to the fedora server, and it
> seems to me that it is used for cvs access. So it is unclear if
> I 'do not use a SSH key in the Fedora Account System'.
>
> Am I missing something? Can anybody clarify?

DSA keys can be compromised if the server you connect to is compromised.
See discussions about the recent openssl debacle for debian.

If your key is an RSA one, to date it seem you shouldn't have problems
even if a peer server is compromised as long as your private key was not
directly exposed.

a BIG AFAIK.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-19-2008, 03:37 PM
Ralf Ertzinger
 
Default reset ssh keys, even if only a public key in fedora?

Hi.

On Tue, 19 Aug 2008 11:32:14 -0400, Simo Sorce wrote:

> DSA keys can be compromised if the server you connect to is
> compromised. See discussions about the recent openssl debacle for
> debian.

Which kind of invalidates the whole "public key" concept, doesn't it?

Not wanting to start a new discussion about this, but the fact that
(some) debian-created keys were weak (and thus crackable) wasn't the
servers fault, but the fault of the client that generated the key in
the first place (unless I'm getting something seriously wrong).

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-19-2008, 03:38 PM
"Jon Ciesla"
 
Default reset ssh keys, even if only a public key in fedora?

> On Tue, 2008-08-19 at 16:04 +0200, Patrice Dumas wrote:
>> Hello,
>>
>> I just received the reset password mail, and it asks me to reset my ssh
>> key by doing ssh-keygen. However, if I recall well I only uploaded my
>> public key to the fedora server. Why would I want to reset my key pair?
>>
>> Maybe I am not one of the users who should reset their key, but I am
>> almost sure that I sent the public key to the fedora server, and it
>> seems to me that it is used for cvs access. So it is unclear if
>> I 'do not use a SSH key in the Fedora Account System'.
>>
>> Am I missing something? Can anybody clarify?
>
> DSA keys can be compromised if the server you connect to is compromised.
> See discussions about the recent openssl debacle for debian.
>
> If your key is an RSA one, to date it seem you shouldn't have problems
> even if a peer server is compromised as long as your private key was not
> directly exposed.
>
> a BIG AFAIK.

My understanding is that RSA is "secure enough*" if your key is 2048 bit
or higher, which incidentally is what the Inf team specified. Not sure
about DSA/DSS in terms of the compromise of issue you specify. IIRC, the
Debian issue was about the random seed no longer being random due to a
packaging error.

*i.e. unless No Such Agency really, really wants your bits

> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> --
> fedora-devel-list mailing list
> fedora-devel-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>


--
novus ordo absurdum

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-19-2008, 03:40 PM
"Jon Ciesla"
 
Default reset ssh keys, even if only a public key in fedora?

> Hi.
>
> On Tue, 19 Aug 2008 11:32:14 -0400, Simo Sorce wrote:
>
>> DSA keys can be compromised if the server you connect to is
>> compromised. See discussions about the recent openssl debacle for
>> debian.
>
> Which kind of invalidates the whole "public key" concept, doesn't it?

Yup.

> Not wanting to start a new discussion about this, but the fact that
> (some) debian-created keys were weak (and thus crackable) wasn't the
> servers fault, but the fault of the client that generated the key in
> the first place (unless I'm getting something seriously wrong).

Correct. It was also server keys, but that wouldn't compromise your own
client key, just the security of the server's key. To crack the
encryption, you still need wither the private key or a lot of time and PCU
cycles. The debian issue simply reduced the number of CPU cycles.

> --
> fedora-devel-list mailing list
> fedora-devel-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>


--
novus ordo absurdum

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-19-2008, 04:06 PM
Felix Schwarz
 
Default reset ssh keys, even if only a public key in fedora?

Patrice Dumas schrieb:
I just received the reset password mail, and it asks me to reset my ssh
key by doing ssh-keygen. However, if I recall well I only uploaded my
public key to the fedora server. Why would I want to reset my key pair?


#fedora-admin:
(17:40:55) mmcgrath: mpdehaan: well, couple of reasons.
(17:41:16) mmcgrath: mpdehaan: 1) we removed all the keys as an affective way
of disabling access everywhere while we're working
(17:41:42) mmcgrath: and 2) we decided it wasn't a bad idea to have people fix
it on their own, it helps with stuff like pruning, etc.


fs

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 06:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org