[Python-Dev] heads up on svn.python.org ssh keys - debian/ubuntu users may need new ones
Barry Warsaw
barry at python.org
Wed May 14 03:37:32 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On May 13, 2008, at 7:12 PM, Martin v. Löwis wrote:
>> If you generated your python subversion ssh key during this time on a
>> machine fitting the description above, please consider replacing your
>> keys.
>>
>> apt-get update ; apt-get upgrade on debian will provide you with a
>> ssh-vulnkey program that can be used to test if your ssh keys are
>> valid or not.
>
> I'll ping all committers for which ssh-vulnkey reports COMPROMISED.
>
> I personally don't think the threat is severe - unless people also
> published their public SSH keys somewhere, there is little chance that
> somebody can break in by just guessing them remotely - you still need
> to try a lot of combinations for user names and passwords, plus with
> subversion, we'll easily recognize doubtful checkins (as we do even
> if the committer is legitimate :-).
It's also probably worth checking the keys for everyone who has shell
access on the python.org machines.
- -Barry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iQCVAwUBSCpCXHEjvBPtnXfVAQLy5gP+MZJ7/RKDqw9QKvNr9rlGm7GjOBkuWR3B
UA91clzb4Iuy+51+V4B3iUcdmwGtpfYum8/2+1/qpi7abO/IiIQvvOKczQzkv5XL
ALh59zR2iiBuNg1BVW0JPdkyNt6qr2oe8kKdUZfyrwRSKIukX+e40Oa+1zvfp0E7
9AumiqMUCtI=
=EXC8
-----END PGP SIGNATURE-----
More information about the Python-Dev
mailing list