| |||||||||||||
|
| |||||||||||||
An update on the Fedora August 2008 intrusionAn update on the Fedora August 2008 intrusionPosted Mar 31, 2009 12:33 UTC (Tue) by tialaramex (subscriber, #21167)In reply to: An update on the Fedora August 2008 intrusion by gdt Parent article: An update on the Fedora August 2008 intrusion
Challenge response doesn't help you. The same user who elects not to set a passphrase on his private key, will leave the challenge response device on his desk or even on the bus. He'll write the mandatory 15 character password on a PostIt. Enforcing this stuff remotely is very difficult when you don't trust your authorised personnel to obey policy. In fact I think it's impossible and your examples haven't changed my mind.
If this Fedora contributor ran Fedora, they had the option to enter their SSH passphrase as infrequently as once per (desktop) login. Is that too much?
(Log in to post comments)
An update on the Fedora August 2008 intrusion Posted Mar 31, 2009 17:04 UTC (Tue) by chaneau (guest, #6674) [Link] If this Fedora contributor ran Fedora, they had the option to enter their SSH passphrase as infrequently as once per (desktop) login. Is that too much? That's the missing answer from this report is it not? How did the intruder gain access to the private key in the first place? Did the intruder have physical access? Did he access the key remotely? Did the Fedora guy leave his key on some untrusted computer? Was the computer stolen? Some of these questions are more frightening than the others, but if you want me to trust Fedora, the quality and the seriousness of it's administrators, they should tell us what really happened
An update on the Fedora August 2008 intrusion Posted Apr 9, 2009 18:44 UTC (Thu) by eric.rannaud (guest, #44292) [Link]
That's the right question to ask. Can we get comments from Fedora people?
How was the private key first acquired?
|
|
||||||||||||