--- Begin Message ---
|
Subject: |
Re: about ssh on fencepost and gnudist |
|
Date: |
Thu, 18 Jul 2002 14:00:28 -0400 |
|
User-agent: |
Mutt/1.3.28i |
Here's what you need to do...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Summary of this message:
* fencepost.gnu.org was cracked one week ago.
* We needed to reinstall the entire machine, and rebuild our Kerberos
infrastructure.
* Instructions for how logins now work are included. We provide:
* SSHv2 key authentication
* GSSAPI Kerberos authentication through SSHv2
* Mundane password authentication (via Kerberos)
* Instructions for how to reactivate accounts are included. We need:
* The "Needed Information" below sent to <address@hidden>
* an SSHv2 public key (preferably GnuPG-signed) OR
a request for Kerberos access, and a way to get the password to
you.
Events Concerning Cracking of Fencepost
On the evening of July 5, 2002, a root compromise and a Trojan horse was
discovered on fencepost.gnu.org, our shell machine and mail and DNS server
for the GNU Project. Given the nature of the compromise, it was decided
that fencepost should be reinstalled, and all user accounts deactivated.
Kerberos was also disabled system-wide for GNU.ORG, since an indirect
effect of the compromise also compromised our Kerberos Domain Controller
(KDC).
July 6, 7, and 8th were used to reinstall fencepost, and get mail back up
and running. By the 8th, all GNU email delivery was operating again. To
our knowledge, no email was lost during the outage.
This week we have been reactivating an initial set of fencepost accounts,
including all FSF employees, those who actively worked to help with
fencepost recovery, and those who have made phone contact information and
SSHv2 keys available to us via email to <address@hidden>.
Over the rest of the week, we got a new primary KDC for GNU.ORG running.
It was decided that given the nature of the compromise, we should rebuild
our Kerberos infrastructure from scratch. For security reasons, we
currently support only Kerberos 5 authentication.
How Logins Now Work
Moving forward, all GNU and FSF machines that accept SSH user logins will
accept only Protocol 2 SSH connections [0], due to security problems with
SSH Protocol 1. However, our SSH daemons are GSSAPI enabled, so if you
use the "ssh-krb5" package, you can use Kerberos authentication to log in
via SSH. You will be able to connect via SSHv2 with:
* A standard SSHv2 key (generated by OpenSSH or LSH)
* GSSAPI Kerberos authentication (via "ssh-krb5" Debian package)
* A Kerberos password, typed in while connecting via SSHv2 (we
encourage you to do this only as a last resort, since this activity
was what caused our KDC to be compromised this time).
Reactivating Accounts
SSHv2 Public Key Reactivation
To reactivate your fencepost account using an SSHv2 public key, please
follow these procedures:
* Generate a SSHv2 key if you do not already have one (you may want to
consider generating a new one if your private key ever lived on
fencepost).
** For OpenSSH, use the command "ssh-keygen -t type", where type can
be either "dsa" or "rsa".
** For LSH, use the command "lsh-keygen | lsh-writekey"
* Email to <address@hidden> your SSHv2 public key along with the
"Needed Information" below.
** For OpenSSH, please attach either your ~/.ssh/id_dsa.pub or
~/.ssh/id_rsa.pub file.
** For LSH, please attach your ~/.lsh/identity.pub file.
* Include all of the "Needed Information" below in your message. We
will contact you to confirm your SSHv2 fingerprint. Please be ready
to tell us the fingerprint of your public key. You can get this by
running "ssh-keygen -l -f ~/.ssh/id_dsa.pub" (or rsa.pub) for OpenSSH,
and "sexp-conv --raw-hash < ~/.lsh/identity.pub" for LSH.
* If possible, please GnuPG-sign your email to <address@hidden>. If
we can determine that we sufficiently trust your GnuPG signature, we
may end up not needing to contact you to confirm your SSHv2 public key
fingerprint.
Kerberos Authentication Reactivation
To reactivate your account using Kerberos for use with SSHv2+GSSAPI or
standard password authentication, please follow these procedures:
* Email a request (GnuPG-signed if possible) to <address@hidden> to
provide you with a new Kerberos principal. Include the "Needed
Information".
* We will contact you via phone or postal mail with your Kerberos
password.
* If we can determine that we sufficiently trust your GnuPG signature,
we may end up GnuPG-encrypting your Kerberos password and emailing it
to you.
Needed Information
1. Your primary uses of your fencepost account (e.g., "GNU
Maintainer")
2. fencepost account username
3. An email address that does not deliver via FSF or GNU
4. Phone numbers and time of day where we can contact you to
confirm fingerprints.
5. Postal mailing address
Fencepost Public Server Keys
The fingerprint of fencepost's new SSH public server keys are:
1024 02:23:02:f1:f6:ec:d8:03:51:1f:2c:49:cd:8f:6d:88 fencepost.gnu.org DSA
1024 fe:85:84:72:0a:f7:66:1b:ea:b2:a1:80:97:e6:70:e3 fencepost.gnu.org RSA
Other Methods of Account Activation
If, for some reason, none of these methods of reactivation will work for
your situation, please contact us at <address@hidden> or +1-617-542-5942
(starting the morning of Monday 15 July 2002), and we will make special
arrangements.
Please note that we are still pushing through the backlog of requests that
have arrived prior to this email being sent out. We are working as
quickly as we can. Our FSF system staff have been working 14-hour days
for a week, and many volunteers have also chipped in to get things moving
again. Please bear with us, and we're sorry things have taken so long;
we're working as fast as possible with the resources we have.
[0] The exception to this rule is savannah.gnu.org (aka
subversions.gnu.org), which will continue to support Protocol 1 SSH
connections and krsh connections for CVS. In the near future, we
expect to deprecate Protocol 1 SSH connections on savannah, once
savannah's online interface can handle it.
- --
Bradley M. Kuhn, Executive Director
Free Software Foundation | Phone: +1-617-542-5942
59 Temple Place, Suite 330 | Fax: +1-617-542-2652
Boston, MA 02111-1307 USA | Web: http://www.gnu.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9MHg653XjJNtBs4cRAjeJAJ437AX63xkacdiCbQlSevL8XsuQywCgu/IO
4znIClVDqKds7pOcCLR/oN4=
=zsY7
-----END PGP SIGNATURE-----
--- End Message ---