[Systems] [Fwd: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30]

Henry Edward Hardy hhardy01 at gmail.com
Thu Oct 13 10:13:19 EDT 2011

If we are worried about the security of ssh keys we might consider
adding a second authentication factor such as a one time password
system like OPIE or S/KEY.



On Thu, Oct 13, 2011 at 3:15 AM, Sascha Silbe
<sascha-ml-reply-to-2011-4 at silbe.org> wrote:
> Excerpts from Bernie Innocenti's message of 2011-10-12 19:30:16 +0200:
>> Shall we do something similar?
> Definitely not. We might _remind_ users, but we certainly shouldn't
> _force_ them. Not the least because at least my key is stored on an
> OpenPGP v2 card - it _can't_ be compromised even if you take over my
> computer; you'd need physical access to the hardware (unless you also
> find an exploitable vulnerability in the smart card - possible, but
> unlikely). I also don't understand the rationale - why do they force all
> users to recreate the keys on their own computers if some of the
> _targets_ have been compromised? If they're worried the attackers might
> have taken over the sources via exploitable back channels (e.g. X
> forwarding), then recreating the keys won't help.
> Sascha
> --
> http://sascha.silbe.org/
> http://www.infra-silbe.de/
> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems

More information about the Systems mailing list