Fedora Project forces security reset for all users
The Fedora Project has posted an announcement advising current users of the Fedora Account System to change their password and SSH public key before 30 November or risk their accounts being marked as inactive. The information was posted to the Fedora "announce" mailing list by Infrastructure Lead Kevin Fenzi, who stated that the change was "due to the large number of high profile sites with security breaches in recent months". Recently reported breaches include those of WineHQ, The Linux Foundation and kernel.org. The new move is precautionary, and is not due to any "specific compromise or vulnerability in Fedora Infrastructure".
The request sets out the requirement for passwords of at least 9 characters in length (20 if only lowercase characters are used) and notes that a new SSH public key must also be generated to avoid an account being marked as inactive. The announcement also includes a "Do's and Don'ts" section with several tips for increasing personal security. Instructions for changing Fedora Account System passwords and SSH public keys can be found in the Q&A section of the announcement.
- Fedora infrastructure hacked – no damage done, a report from The H.