> To me this implies that it wasn't a socially-engineered stealing of
> a password to an account on one of the machines, as this wouldn't
> work for the other - unless a single user has accounts on both, with
> the *same* password (not a good idea in general, but many of us fall
> prey to this sort of thing...).
It isn't uncommon for large organisations to have shared authentication systems distributed via LDAP or similar, so having the same password on multiple boxes is not that surprising.
Also, it isn't uncommon for people to use the same SSH key pair to log into multiple servers, so that is another possible explanation for both RH and Fedora infrastructure being breached in a single attack.