Introduction
by Silviu Hutanu
Hi everybody,
I'm interested to join Fedora Infrastructure Team, here are some some
details about me:
*Name*: Sivliu Hutanu
*
Time Zone/Country*: GMT+2 Brasov,Romania/Eastern Europe
*
Available Time*: 12-20h per week
*Skills:* Shell scripting, Troubleshooting level 2-3 network,OS and security
issues, CISCO routers basic knowleges(Currently enrolled in eth module of
CCNA Exploration ), Some experience with Java application servers(Currently
I'm working as junior Java developer)
*Qualifications*: RHCE
Kind regards,
Silviu Hutanu
13 years, 6 months
db2 upgrade
by Mike McGrath
I'm going to upgrade db2 tonight to postgres 8.4. I'm re-doing staging
now to get the timing down so staging services requiring db2 will be down
until this is done. I'll send an official outage notification after I
have the timing down.
-Mike
13 years, 6 months
Updates for 2010-10
by Stephen John Smoogen
Ok it looks like there have been updates to Django/Turbogeats in
EPEL/EPEL-test. This is usually a lot of tears and gnashing of teeth
when in the various sub-apps and I would like to make sure we test
them thoroughly in staging before doing any updates on main. So we
will be only updating security packages which are fairly few this
time.
--
Stephen J Smoogen.
“The core skill of innovators is error recovery, not failure avoidance.”
Randy Nelson, President of Pixar University.
"We have a strategic plan. It's called doing things.""
— Herb Kelleher, founder Southwest Airlines
13 years, 6 months
Re: Yubikeys are now supported
by Mike McLean
On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters <paul(a)xelerance.com> wrote:
> I have one and I've played with it in fedora. There is however an important
> catch. The server and the yubikey share the same AES symmetric key. This means
> that if the yubikey is used for multiple sites by one user, that user is sharing
> is his "private key" over various external sites.
>
> So if fedoraproject would accept it, and the same user uses this yubikey for
> another site, and that other site gets hacked, then fedoraproject could be
> hacked as well.
>
> I guess in a way it is like using the same password, but people might not be
> thinking of that when they have a "device" on them that they use.
Wow, that's a serious weakness. Are we sure about this?
13 years, 6 months
Re: Yubikeys are now supported
by Mike McGrath
On Thu, 7 Oct 2010, Paul Wouters wrote:
> On Thu, 7 Oct 2010, Mike McGrath wrote:
>
> >>> We also decided to allow yubikeys as an authentication option for the
> >>> larger community to some hosts and services like fedorapeople.org or
> >>> https://admin.fedoraproject.org/community/. When asked for a password,
> >>> just use your yubikey to generate a otp instead. Those wishing to use one
> >>> may purchase a yubikey on their own at:
>
> > I suspect it'd be worth it to see if we could get one for Fedora.
>
> I have one and I've played with it in fedora. There is however an important
> catch. The server and the yubikey share the same AES symmetric key. This means
> that if the yubikey is used for multiple sites by one user, that user is sharing
> is his "private key" over various external sites.
>
> So if fedoraproject would accept it, and the same user uses this yubikey for
> another site, and that other site gets hacked, then fedoraproject could be
> hacked as well.
>
> I guess in a way it is like using the same password, but people might not be
> thinking of that when they have a "device" on them that they use.
>
My understanding on this is, and I reserve the right to misunderstand
this, is that once the AES key is on the yubikey, there is no way to get
it off of there. That key is just used to generate OTP's. So if an
attacker were to get an OTP they could use it to access fedora resources.
But only once (which is kind of the point of the otp). And they'd only be
able to use it once if the real user hadn't used it again making the
attack window smaller.
If you think I am wrong here please do join #fedora-admin on
irc.freenode.net and help walk me through an attack. We have staging and
development servers setup for such a purpose.
-Mike
13 years, 6 months
Introductory email
by Rob Felsburg
My name is Rob Felsburg. I'm a linux SysAdmin; my specialties lie in
Redhat based systems, I'm extremely interested in helping the Fedora
team.
My interests revolve obviously around Linux, FOSS, etc; specifically security.
So what do you guys need help with? Where can I start
watching/learning about how you all work together?
Just let me know,
Thanks,
-Rob Felsburg
13 years, 6 months
Yubikeys are now supported
by Mike McGrath
The Fedora Infrastructure team is happy to announce support for the
hardware key authentication device, the yubikey. Users will be able to
use their own yubikeys to access some Fedora services, like
fedorapeople.org or some web services.
Why have we done this? The main purpose was to provide multi-factor
authentication to our high security systems. Requiring both a
username/password and yubikey otp to access our most sensitive hosts
provides an additional layer of security then just username/password
alone. Contributors requiring access to these hosts will be provided with
a yubikey. These hosts would include, for example, the signing servers.
We also decided to allow yubikeys as an authentication option for the
larger community to some hosts and services like fedorapeople.org or
https://admin.fedoraproject.org/community/. When asked for a password,
just use your yubikey to generate a otp instead. Those wishing to use one
may purchase a yubikey on their own at:
http://yubico.com/products/yubikey/
For more information on how to program your yubikey see the our yubikey
howto on the wiki:
http://fedoraproject.org/wiki/Infrastruture/Yubikey
Implementation work continues to be discussed and put in please but please
direct any questions or comments to #fedora-admin on irc.freenode.net or
the Infrastructure mailing list -
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
-Mike
13 years, 6 months